open-policy-agent
Authenticate API Server for Gatekeeper webhook
Describe the solution you'd like [A clear and concise description of what you want to happen.] Allow Gatekeeper webhook to validate client certs in the request to ensure the request is coming from the api server.
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
To accomplish this:
- Currently, to enable authenticate api server requires modifying cluster resources that may not be possible in managed K8s cluster: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#authenticate-apiservers
- Alternatively, this proposed KEP could ensure the outgoing request is signed that would make this experience work for all clusters: https://github.com/kubernetes/enhancements/pull/2512
- In Gatekeeper, via controller-runtime, would need to allow validation of client cert: https://github.com/kubernetes-sigs/controller-runtime/issues/873
Environment:
- Gatekeeper version:
- Kubernetes version: (use
kubectl version):
Evaluate https://github.com/kubernetes-sigs/controller-runtime/pull/802 and add a document for what it will take to allow users to configure this for external beta release.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been addressed by #2359 NOTE: Currently there is no way to enable authenticated api server automatically for managed k8s.