Updated to OpenShift 4.x

Author: soukron

README.md

@@ -13,6 +13,7 @@ There are two types of Admission Webhook objects you can configure:
 - _Validating Admission Webhooks_ allow for the use of validating webhooks to enforce custom admission policies.
 
 ## Enabling Admission Webhooks
+### OpenShift 3.x
 In order to use these _Mutating Admission Webhooks_ and _Validating Admission Webhooks_ they must be activated in OpenShift master services.
 
 Make sure that `/etc/origin/master/master-config.yaml` has this two plugins enabled in `admissionConfig.pluginConfig` section, and restart master services:
@@ -29,6 +30,9 @@ Make sure that `/etc/origin/master/master-config.yaml` has this two plugins enab
         kind: DefaultAdmissionConfig
 ~~~
 
+### OpenShift 4.x
+No need to perform any change, the _Admission Webhooks_ are enabled by default.
+
 ## List of Webhooks Servers
 This is the list of the Webhook Servers included in the repository:
 - __[denynewpods](./denynewpods/README.md)__. This webhook is an example of a _Validating Admission Webhook_ and will prevent to run any kind of pod in a namespace labeled with the label `denynewpods.admission.online.openshift.io` to a value `enabled`.
@@ -39,7 +43,7 @@ All Webhook Servers in this repository:
 - are built using OpenShift build methods.
 - listen in port 8443 for HTTPS (POST) requests.
 - use the Service Signer CA to get a secret with a certificate and a key. You should be able to overwrite the content of the secret after its creation if you want to use your own CA and certificates.
-- are referred using their service DNS name. Other methods can be used like integrating the service in OpenShift API, using a service and namespace reference or even a secured route.
+- are referred using their service name and namespace reference. Other methods can be used like integrating the service in OpenShift API, using a service DNS name (for externally hosted webhooks) or even a secured route.
 
 Refer to each Webhook Server's README file to get more details about it.
 

denynewpods/README.md

@@ -22,7 +22,8 @@ $ curl -k -X POST https://denynewpods.webhooks.svc
 ### Creating the Webhook Server
 ~~~
 $ oc new-project webhooks
-$ oc process -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/denynewpods/templates/deployment.yaml \
+$ oc process -p WEBHOOK_NAMESPACE=webhooks \
+     -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/denynewpods/templates/deployment.yaml \
   | oc apply -f -
 $ oc start-build bc/denynewpods
 ~~~
@@ -32,6 +33,7 @@ $ oc start-build bc/denynewpods
 The Admission Webhook will trigger the Webhook Server when a new pod is created in a namespace labeled with the label `denynewpods.admission.online.openshift.io` to a value `enabled`.
 
 ### Creating the Admission Webhook
+#### OpenShift 3.x
 ~~~
 $ export WEBHOOK_CA_BUNDLE=$( sudo cat /etc/origin/master/service-signer.crt | base64 -w0 )
 $ oc process -p WEBHOOK_NAMESPACE=webhooks \
@@ -40,6 +42,15 @@ $ oc process -p WEBHOOK_NAMESPACE=webhooks \
   | oc apply -f -
 ~~~
 
+#### OpenShift 4.x
+~~~
+$ export WEBHOOK_CA_BUNDLE=$( oc get configmap -n openshift-network-operator openshift-service-ca -o jsonpath='{.data.service-ca\.crt}' | base64 -w0 )
+$ oc process -p WEBHOOK_NAMESPACE=webhooks \
+     -p WEBHOOK_CA_BUNDLE=${WEBHOOK_CA_BUNDLE} \
+     -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/denynewpods/templates/webhookconfiguration.yaml \
+  | oc apply -f -
+~~~
+
 ## Customization
 ### Use your own certificates
 After the Webhook Server is deployed and it's running, if you don't want to use the Service Signer CA certificates, replace the secret with your own cert/key pair and re-deploy the Webhook Server:
@@ -64,26 +75,26 @@ $ oc process -p WEBHOOK_NAMESPACE=webhooks \
 After the Webhook Server is deployed and the Admission Webhook has been created, try to create a new project and run a pod on it:
 ~~~
 $ oc new-project test-webhooks
-$ oc run sleep --image=alpine --command -- sleep 3600
+$ oc run sleep-1 --image=alpine --command -- sleep 3600
 ~~~
 This first pod will run successfully as the namespace is not yet labeled. 
 
-Add the label to the namespace and try to increase the number of replicas:
+Add the label to the namespace and try to run another pod:
 ~~~
 $ oc label namespace test-webhooks denynewpods.admission.online.openshift.io=enabled
-$ oc scale dc/sleep --replicas=5
+$ oc run sleep-2 --image=alpine --command -- sleep 3600
 ~~~
 
-No new pods will be scheduled and a log will appear in the events:
+No new pods will be scheduled and an error will be returned:
 ~~~
-$ oc get events | grep admission
-5m          5m           1         sleep-1.157e7b51cdc8c0fc          ReplicationController                                 Warning   FailedCreate                  replication-controller                    Error creating: admission webhook "denynewpods.admission.online.openshift.io" denied the request: New pods denied.
+$ oc run sleep-2 --image=alpine --command -- sleep 3600
+Error from server (No new pods allowed in this project): admission webhook "denynewpods.admission.online.openshift.io" denied the request: New pods denied
 ~~~
 
 Remove the label to the namespace and this time the replicas will run:
 ~~~
 $ oc label namespace test-webhooks denynewpods.admission.online.openshift.io-
-$ oc scale dc/sleep --replicas=5
+$ oc run sleep-2 --image=alpine --command -- sleep 3600
 ~~~
 
 ## Cleanup

denynewpods/templates/deployment.yaml

@@ -4,15 +4,19 @@ metadata: {}
 parameters:
 - name: WEBHOOK_NAME
   required: true
-  description: Name of the webhook to deploy (defaults to denynewpods)
+  description: Name of the webhook (defaults to denynewpods).
   value: denynewpods
+- name: WEBHOOK_NAMESPACE
+  required: true
+  description: Name of the project where the webhook is being deployed.
 objects:
 - apiVersion: v1
   kind: BuildConfig
   metadata:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     output:
       to:
@@ -37,6 +41,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     lookupPolicy:
       local: false
@@ -55,6 +60,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     ports:
     - name: 443-tcp
@@ -71,6 +77,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     replicas: 1
     selector:

denynewpods/templates/webhookconfiguration.yaml

@@ -11,7 +11,7 @@ parameters:
   description: Name of the project where the webhook is being deployed.
 - name: WEBHOOK_CA_BUNDLE
   required: true
-  description: Content of /etc/origin/master/service-signer.crt base64 encoded or the CA which signed the certificate used in the webhook.
+  description: Base64 encoded CA which signed the certificate used in the webhook.
 objects:
 - apiVersion: admissionregistration.k8s.io/v1beta1
   kind: ValidatingWebhookConfiguration
@@ -32,8 +32,9 @@ objects:
       - pods
     failurePolicy: Fail
     clientConfig:
-      url: https://${WEBHOOK_NAME}.${WEBHOOK_NAMESPACE}.svc
-      path: /
+      service:
+        name: ${WEBHOOK_NAME}
+        namespace: ${WEBHOOK_NAMESPACE}
       caBundle: ${WEBHOOK_CA_BUNDLE}
     namespaceSelector:
       matchLabels:

enforceenv/README.md

@@ -11,7 +11,8 @@ The Webhook Server will:
 ### Creating the Webhook Server
 ~~~
 $ oc new-project webhooks
-$ oc process -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/enforceenv/templates/deployment.yaml \
+$ oc process -p WEBHOOK_NAMESPACE=webhooks \
+     -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/enforceenv/templates/deployment.yaml \
   | oc apply -f -
 $ oc start-build bc/enforceenv
 ~~~
@@ -21,6 +22,7 @@ $ oc start-build bc/enforceenv
 The Admission Webhook will trigger the Webhook Server when a new pod is created in a namespace labeled with the label `enforceenv.admission.online.openshift.io` is set.
 
 ### Creating the Admission Webhook
+#### OpenShift 3.x
 ~~~
 $ export WEBHOOK_CA_BUNDLE=$( sudo cat /etc/origin/master/service-signer.crt | base64 -w0 )
 $ oc process -p WEBHOOK_NAMESPACE=webhooks \
@@ -29,6 +31,15 @@ $ oc process -p WEBHOOK_NAMESPACE=webhooks \
   | oc apply -f -
 ~~~
 
+#### OpenShift 4.x
+~~~
+$ export WEBHOOK_CA_BUNDLE=$( oc get configmap -n openshift-network-operator openshift-service-ca -o jsonpath='{.data.service-ca\.crt}' | base64 -w0 )
+$ oc process -p WEBHOOK_NAMESPACE=webhooks \
+     -p WEBHOOK_CA_BUNDLE=${WEBHOOK_CA_BUNDLE} \
+     -f https://raw.githubusercontent.com/soukron/openshift-admission-webhooks/master/enforceenv/templates/webhookconfiguration.yaml \
+  | oc apply -f -
+~~~
+
 ## Customization
 ### Use your own certificates
 After the Webhook Server is deployed and it's running, if you don't want to use the Service Signer CA certificates, replace the secret with your own cert/key pair and re-deploy the Webhook Server:

enforceenv/templates/deployment.yaml

@@ -4,15 +4,19 @@ metadata: {}
 parameters:
 - name: WEBHOOK_NAME
   required: true
-  description: Name of the webhook to deploy (default value is enforceenv)
+  description: Name of the webhook (defaults to enforceenv).
   value: enforceenv
+- name: WEBHOOK_NAMESPACE
+  required: true
+  description: Name of the project where the webhook is being deployed.
 objects:
 - apiVersion: v1
   kind: BuildConfig
   metadata:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     output:
       to:
@@ -37,6 +41,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     lookupPolicy:
       local: false
@@ -55,6 +60,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     ports:
     - name: 443-tcp
@@ -71,6 +77,7 @@ objects:
     labels:
       webhook: ${WEBHOOK_NAME}
     name: ${WEBHOOK_NAME}
+    namespace: ${WEBHOOK_NAMESPACE}
   spec:
     replicas: 1
     selector:

enforceenv/templates/webhookconfiguration.yaml

@@ -11,7 +11,7 @@ parameters:
   description: Name of the project where the webhook is being deployed.
 - name: WEBHOOK_CA_BUNDLE
   required: true
-  description: Content of /etc/origin/master/service-signer.crt base64 encoded or the CA which signed the certificate used in the webhook.
+  description: Base64 encoded CA which signed the certificate used in the webhook.
 objects:
 - apiVersion: admissionregistration.k8s.io/v1beta1
   kind: MutatingWebhookConfiguration
@@ -31,6 +31,7 @@ objects:
       resources:
       - pods
     clientConfig:
-      url: https://${WEBHOOK_NAME}.${WEBHOOK_NAMESPACE}.svc
-      path: /
+      service:
+        name: ${WEBHOOK_NAME}
+        namespace: ${WEBHOOK_NAMESPACE}
       caBundle: ${WEBHOOK_CA_BUNDLE}