Hardening the Kubewarden webhooks
The Kubewarden stack uses webhooks to enforce policies in a Kubernetes cluster.
Each PolicyServer instance exposes a webhook that the Kubernetes API server
calls to validate and mutate resources. Moreover, the kubewarden-controller
exposes webhooks to validate and mutate the custom resources provided by the
Kubewarden project.
To decrease their attack surface, you should limit access to these webhooks to the only valid callers they have:
- the Kubernetes API server
- the audit scanner component. You can do this using network policies and authentication independently, or together, to harden the webhooks against attacks.
Block External Traffic Using Network Policiesβ
Webhooks are only expected to accept requests from the Kubernetes API server and the audit scanner component. By default, however, webhooks can accept traffic from any source. If you are using a Container Network Interface (CNI) that supports Network Policies, you can create a policy that blocks traffic that doesn't originate from the API server.
The built-in NetworkPolicy resource in Kubernetes can't block or admit traffic
from the cluster hosts. Also, the kube-apiserver process is always running on
the host network. Therefore, you must use the advanced network policy resources
from the CNI in use. Examples for Calico and Cilium follow. Consult the
documentation for your CNI for more details.
Calicoβ
Use the NetworkPolicy resource in the crd.projectcalico.org/v1 API group, to
define a network policy like this:
apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
name: allow-k8s-and-audit-scanner
namespace: kubewarden # namespace where the kubewarden stack is deployed
spec:
selector: 'app.kubernetes.io/component in {"kubewarden-controller", "policy-server"}'
types:
- Ingress
ingress:
# this allows the Kubernetes API server to reach the kubewarden controller and
# all the policy server instances
- action: Allow
protocol: TCP
source:
nets:
# CIDR of the control plane host. May list more than 1 if the hosts are in different subnets.
- 192.168.42.0/24
destination:
selector: 'app.kubernetes.io/component in {"kubewarden-controller", "policy-server"}'
# this allows all the workloads defined inside of the kubewarden namespace
# (including audit-scanner) to reach the kubewarden controller and all the
# policy server instances
- action: Allow
protocol: TCP
source:
# namespace where the kubewarden stack is deployed
namespaceSelector: 'kubernetes.io/metadata.name == "kubewarden"' # namespace where the kubewarden stack is deployed
destination:
selector: 'app.kubernetes.io/component in {"kubewarden-controller", "policy-server"}'
This network policy uses label selectors introduced in Kubewarden 1.23.0. If you are using an older version, you must update the labels in the policy to match the ones used in your deployment.
More specifically, write the
selector: 'app.kubernetes.io/component in {"kubewarden-controller", "policy-server"}'
selectors as:
selector: 'app.kubernetes.io/name == "kubewarden-controller" || has(kubewarden/policy-server)'
Ciliumβ
Use the CiliumNetworkPolicy resource in the cilium.io/v2 API group to define
a network policy like the following one:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: allow-k8s-and-audit-scanner
namespace: kubewarden # namespace where the kubewarden stack is deployed
spec:
endpointSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- policy-server
- controller
ingress:
# this allows the Kubernetes API server to reach the kubewarden controller and
# all the policy server instances
- fromEntities:
- host
- remote-node
# this allows all the workloads defined inside of the kubewarden namespace
# (including audit-scanner) to reach the kubewarden controller and all the
# policy server instances
- fromEndpoints:
- matchLabels:
# namespace where the kubewarden stack is deployed
k8s:io.kubernetes.pod.namespace: kubewarden
This network policy uses label selectors introduced in Kubewarden 1.23.0. If you are using an older version, you must update the labels in the policy to match the ones used in your deployment.
More specifically, write the
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- policy-server
- controller
expression as:
endpointSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- kubewarden-controller
- key: kubewarden/policy-server
operator: Exists
Require the Kubernetes API Server to authenticate to the webhookβ
Refer to this how-to for a step-by-step guide on configuring the Kubernetes API server of K3s to authenticate to the webhook.
The webhooks exposed by the Kubewarden stack should only accept requests from the Kubernetes API server or from the audit scanner component. By default, these webhooks donβt require clients to authenticate to it. They accept any request.
You can configure the webhooks to require credentials so that only the API server and the audit scanner processes can access them. See the Kubernetes documentation for more information.
-
Configure the API server to present a client certificate to the webhook, pointing to an
AdmissionConfigurationfile to configure theValidatingAdmissionWebhookandMutatingAdmissionWebhookplug-ins:Create a file named
admission.yamlwith the following contents:apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ValidatingAdmissionWebhook
configuration:
apiVersion: apiserver.config.k8s.io/v1
kind: WebhookAdmissionConfiguration
kubeConfigFile: "/etc/k8s/admission/kubeconfig"
- name: MutatingAdmissionWebhook
configuration:
apiVersion: apiserver.config.k8s.io/v1
kind: WebhookAdmissionConfiguration
kubeConfigFile: "/etc/k8s/admission/kubeconfig"This is the same configuration file used to configure other plug-ins, such as
PodSecurity. If your distribution or setup uses additional admission plug-ins, you should also configure those. -
Create the
kubeconfigfile the admission plug-ins refer to. Kubewarden only supports client certificate authentication, so generate a TLS key pair, and set the kubeconfig to use either client-certificate and client-key or client-certificate-data and client-key-data.For example:
# /etc/k8s/admission/kubeconfig
apiVersion: v1
kind: Config
users:
- name: '*.kubewarden.svc'
user:
client-certificate: /path/to/client/cert
client-key: /path/to/client/key -
Start the
kube-apiserverbinary with the flag--admission-control-config-filepointing to yourAdmissionConfigurationfile. The way to do this varies by distribution, and it isn't supported universally, such as in hosted Kubernetes providers. Consult the documentation for your Kubernetes distribution. -
Make the certificate of the root CA that issued the API server client certificate available to the Kubewarden stack.
Put its content into a
ConfigMapunder thekubewardennamespace using a key namedclient-ca.crt.Assuming the root CA is available at
/etc/k8s/admission/certs/rootCA.crt, create theConfigMapwith the following command:kubectl create configmap -n kubewarden api-server-mtls \
--from-file=client-ca.crt=/etc/k8s/admission/certs/rootCA.crt -
Finally, when installing the
kubewarden-controllerHelm chart, make sure to enable the following values:- Set
mTLS.enabletotrue. - Set
mTLS.configMapNameto the name of theConfigMappreviously created.
The
ConfigMapname isapi-server-mtls, so the Helm command to install thekubewarden-controlleris:helm install --wait -n kubewarden kubewarden-controller kubewarden/kubewarden-controller \
--set mTLS.enable=true \
--set mTLS.configMapName=api-server-mtlsThe Kubewarden controller creates a client certificate for use by the audit scanner component. The certificate is automatically rotated, by the controller, when needed.
- Set