Enforce Validation Policy to restrict caBundle modifications in CRDs to cert-manager only

Dragos Gerearequested to merge
dg/kyverno-policy-for-caBundle into main

What does this MR do and why?

This MR was raised to address the issue described under #1597 (closed). It adds a new Kubernetes ValidatingAdmissionPolicy and a binding that restricts modifications to the caBundle field in CustomResourceDefinitions (CRDs) to only allow changes from cert-manager, while blocking attempts from other resources. The policy specifically targets CRDs that have the cert-manager.io/inject-ca-from annotation and contain webhook conversion configurations with caBundle data. When such CRDs undergo UPDATE operations where the caBundle is being added or modified, the policy verifies that the request is coming from the cert-manager cainjector service account (system:serviceaccount:cert-manager:cert-manager-cainjector). If any other user or service attempts to modify the caBundle, the request will be denied. The policy uses a CEL expression to check for the presence of metadata annotations, webhook conversion configuration, and caBundle values, comparing the new object with the old object to detect changes.

ValidatingAdmissionPolicyBinding activates this policy with the Deny validation action and applies it globally across the cluster through empty namespace and object selectors.

Related reference(s)

Closes #1597 (closed)

Test coverage

This was tested by trying to manually patch the caBundle as different serviceAccounts. Service accounts that are not related to cert-manager were blocked from setting the field.

CI configuration

Below you can choose test deployment variants to run in this MR's CI.

Click to open to CI configuration

Legend:

Icon Meaning Available values
☁️ Infra Provider capd, capo, capm3
🚀 Bootstrap Provider kubeadm (alias kadm), rke2
🐧 Node OS ubuntu, suse
🛠️ Deployment Options light-deploy, oci, ha, misc
🎬 Pipeline Scenarios no-wkld simple-update simple-update-no-wkld rolling-update rolling-update-no-wkld wkld-k8s-upgrade nightly sylva-upgrade sylva-upgrade-no-wkld sylva-upgrade-from-x.x.x preview

  • 🎬 preview ☁️ capd 🚀 kadm 🐧 ubuntu 🛠️ oci

  • 🎬 preview ☁️ capo 🚀 rke2 🐧 suse

  • 🎬 preview ☁️ capm3 🚀 rke2 🐧 ubuntu

  • ☁️ capd 🚀 kadm 🛠️ light-deploy 🐧 ubuntu

  • ☁️ capd 🚀 rke2 🛠️ oci,light-deploy 🐧 suse

  • ☁️ capo 🚀 rke2 🛠️ oci 🐧 suse

  • ☁️ capo 🚀 kadm 🛠️ oci 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capo 🚀 kadm 🎬 wkld-k8s-upgrade 🐧 ubuntu

  • ☁️ capo 🚀 rke2 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 suse

  • ☁️ capo 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🐧 suse

  • ☁️ capm3 🚀 kadm 🛠️ oci 🐧 ubuntu

  • ☁️ capm3 🚀 kadm 🎬 rolling-update-no-wkld 🛠️ ha,misc 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 wkld-k8s-upgrade 🛠️ ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 ubuntu

  • ☁️ capm3 🚀 rke2 🎬 sylva-upgrade-from-1.3.x 🛠️ misc,ha 🐧 suse

  • ☁️ capm3 🚀 kadm 🎬 rolling-update 🛠️ ha 🐧 suse

Global config for deployment pipelines

  • autorun pipelines
  • allow failure on pipelines

Notes:

  • Enabling autorun will make deployment pipelines to be run automatically without human interaction
  • Disabling allow failure will make deployment pipelines mandatory for pipeline success.
  • if both autorun and allow failure are disabled, deployment pipelines will need manual triggering but will be blocking the pipeline

Be aware: after configuration change, pipeline is not triggered automatically. Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.

Edited by Dragos Gerea

Merge request reports