Leverage Authorizer instead of Admission webhook to enforce etcd cluster resource protection #1001
Labels
area/control-plane
Control plane related
kind/enhancement
Enhancement, improvement, extension
kind/technical-debt
Something that is only solved on the surface, but requires more (re)work to be done properly
Comments
gardener-robot
added
area/control-plane
unmarshall
added
the
kind/technical-debt
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How to categorize this issue?
/area control-plane
/kind enhancement
/kind technical-debt
/kind task
What would you like to be added:
Currently etcd-druid provides protection against accidental or malicious attempts to update/delete etcd-cluster resources that are provisioned by etcd-druid for every
Etcdcustom resource. More details about it can be found here.The initial implementation choice was to use
Admission Webhook, more precisely validating webhook. While this serves the current purpose, it is not really a good fit semantically. Validating webhooks are usually meant to validate resources. In this webhook no validation ofEtcdresource is done, instead it reacts on what kind ofverbis invoked on a managed resource (by etcd-druid) and if that is authorized for that user.This fits perfectly to an Authorizer.
Additional information: https://kubernetes.io/docs/reference/access-authn-authz/authorization/
Authorizers are called after
Authenticationand before invoking theAdmission webhooks(ref: https://kubernetes.io/docs/concepts/security/controlling-access/)We should change from using a validating admission webhook to an authorizer.
The text was updated successfully, but these errors were encountered: