Comments (11)
Thanks for your help to understand the root cause. So using a custom approver on AKS do not permit to generate CertificateRequests on kube-system or an option is available to allow build-in/empty user ?
My advice is to treat kube-system
as the property of AKS and not to attempt to create or change any resources in that namespace.
But it looks like you can disable the "Admissions Enforcer" if you choose:
from approver-policy.
@HSoulat Have you read the RBAC part in the docs: https://cert-manager.io/docs/policy/approval/approver-policy/#configuration?
Are you able to share some details of your CertificateRequest, Issuer (or ClusterIssuer) and CertificateRequestPolicy?
from approver-policy.
@erikgb, sure, I may have missed something regarding the RBAC configuration
Issuer,
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: xxx-issuer
spec:
ca:
secretName: ca-xxx-key-pair
Policy,
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
name: xxx-policy
spec:
allowed:
...
isCA: false
usages:
- "server auth"
- "client auth"
- "key encipherment"
- "digital signature"
subject:
...
constraints:
...
selector:
# Select all IssuerRef
issuerRef: {}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager-policy:xxx
rules:
- apiGroups: ["policy.cert-manager.io"]
resources: ["certificaterequestpolicies"]
verbs: ["use"]
# Name of the CertificateRequestPolicies to be used.
resourceNames: ["xxx-policy"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager-policy:xxx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-policy:xxx
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
Certificate.
apiVersion: cert-manager.io/v1
kind: CertificateRequest
metadata:
annotations:
cert-manager.io/certificate-name: xxx-tls
cert-manager.io/certificate-revision: "1"
cert-manager.io/private-key-secret-name: xxx-tls-w4cdm
creationTimestamp: "2023-11-07T13:16:09Z"
generateName: xxx-tls-
generation: 1
name: xxx-tls-rwn9m
namespace: kube-system
ownerReferences:
- apiVersion: cert-manager.io/v1
blockOwnerDeletion: true
controller: true
kind: Certificate
name: xxx-tls
uid: ed749d1a-54cb-480e-a449-36bdfff232e1
resourceVersion: "23930574"
uid: c8808450-44f6-4655-a4db-1923bd0cac91
spec:
duration: 2760h0m0s
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: xxx-issuer
request:
...
usages:
- digital signature
- key encipherment
I have also tested the same configuration with a selfsign issuer and I got the same behavior. The certificate requests in any namespace are approved execpted in kube-system
from approver-policy.
Definitely looks like there's something strange going on here!
That SubjectAccessReview (SAR) is created here. It uses the username from the certficaterequest.spec
but it doesn't look like there's a username in your CertificateRequest there.
Usually that should be set by the mutating webhook in cert-manager in the normal case and then checked by the cert-manager validating webhook. Are they working as expected for kube-system?
from approver-policy.
Building on what @SgtCoDFish said; perhaps the platform admin has modified the MutatingWebhookConfiguration
to avoid it being called for kube-system
objects:
Check for differences between the actual mutatingwebhook configuration (kubectl get mutatingwebhookconfiguration cert-manager-webhook -o yaml
) and the original cert-manager mutatingwebhookconfiguration.
from approver-policy.
What version of K8s? Which vendor? (GKE?)
Do you have access to API server logs? (For GKE, these have been quite illuminating)
from approver-policy.
@wallrj you're true, AKS platform is adding the following in namespaceSelector
on MutatingWebhookConfiguration
as well on ValidatingWebhookConfiguration
.
namespaceSelector:
matchExpressions:
- key: kubernetes.azure.com/managedby
operator: NotIn
values:
- aks
- key: control-plane
operator: NotIn
values:
- 'true'
kube-system namespace have both labels.
What is strange to me is that if I use the default approver in cert-manager the validation process is working.
from approver-policy.
What is strange to me is that if I use the default approver in cert-manager the validation process is working.
That's because the default approver in cert-manager always approves CertificateRequests.
It ignores the empty identity fields in those kube-system CertificateRequest resources.
In a default installation, cert-manager automatically approves all CertificateRequests and CertificateSigningRequests that use any of its built-in issuers. This is done to simplify the first-time experience of using cert-manager.
-- https://cert-manager.io/docs/policy/approval/
from approver-policy.
Thanks for your help to understand the root cause. So using a custom approver on AKS do not permit to generate CertificateRequests on kube-system or an option is available to allow build-in/empty user ?
from approver-policy.
@HSoulat feel free to re-open this issue if necessary.
/close
from approver-policy.
@wallrj: Closing this issue.
In response to this:
@HSoulat feel free to re-open this issue if necessary.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from approver-policy.
Related Issues (20)
- Unable to expose webhook on hostnetwork
- Regex to disallow wildcard certificates HOT 2
- CertificateRequest approved but stuck with empty status HOT 1
- Webhook Custom CA
- Allow Custom Labels to be added to Resources
- group 'cert-manager.io' does not work HOT 4
- Error: YAML parse error on cert-manager-approver-policy/templates/deployment.yaml: error converting YAML to JSON: yaml: line 48: mapping values are not allowed in this context HOT 6
- Add Custom Annotations
- Improve CRD fields for specifying key requirements
- Setting .Values.nameOverride makes the pod not have rights to update secret cert-manager-approver-policy-tls HOT 1
- Helm chart rendering error: converting YAML to JSON: yaml: line 61: did not find expected key
- Simplify configuration by creating RBAC by default
- [CertificateRequestPolicy] `selector.issuerRef` incorrect example list instead of map
- Should initialize controller-runtime logging
- Include binary artifacts your releases.
- Add Helm option to create RBAC allowing approval for all issuers HOT 1
- Feature: Take control of approval for the whole cluster HOT 2
- Attempt to update status.conditions denied by cert-manager webhook HOT 16
- Typo in error message: connection patch should say CertificateRequest.Status patch HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from approver-policy.