Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not risk exposing unauthenticated webhook port on container #4691

Merged
merged 2 commits into from
Sep 10, 2024
Merged

Do not risk exposing unauthenticated webhook port on container #4691

merged 2 commits into from
Sep 10, 2024

Conversation

kimsondrup
Copy link
Contributor

Description

The current doc for the webhook provider expect the k8s probe to call localhost but the normal Kubernetes behavior is to call the pods IP so the current doc doesn't work.

Some implementers work around this by expecting users to override the livenessProbe and readinessProbe (see example external-dns-ionos-webhook) but this might as well be upstreamed

Checklist

  • Unit tests updated
  • End user documentation updated

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 19, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @kimsondrup. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 19, 2024
@mloiseleur
Copy link
Contributor

/ok-to-test
/assign @stevehipwell
Apart my little suggestion, it looks good.

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 28, 2024
@mloiseleur
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2024
stevehipwell
stevehipwell suggested changes Aug 29, 2024
View reviewed changes
Copy link
Contributor

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to the inline question, shouldn't the webhook be providing both a /livez and a /readyz endpoint instead of a /healthz endpoint to follow the K98s idiomatic pattern?

@mloiseleur there seems to be a large number of webhook changes coming in to the Helm chart, I thought this had all been heavily tested outside of the chart before the PR to add it? I was also under the impression that it had been tested locally before it was added?

charts/external-dns/templates/deployment.yaml Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 29, 2024
@stevehipwell stevehipwell mentioned this pull request Sep 6, 2024
Closed
@kashalls
Copy link

kashalls commented Sep 8, 2024
edited
Loading

In addition to the inline question, shouldn't the webhook be providing both a /livez and a /readyz endpoint instead of a /healthz endpoint to follow the K98s idiomatic pattern?

I don't think it matters much at the current moment as the base external-dns serves only a /healthz probe. You might want to create an additional PR to bring us within this pattern @stevehipwell .

It also wouldn't cause much of a problem to add these probes as it is a simple addition. I already have it implemented on the external-dns-unifi-webhook, but at a quick glance a couple webhook providers are only supplying the /healthz probe.

@kimsondrup
Copy link
Contributor Author

In addition to the inline question, shouldn't the webhook be providing both a /livez and a /readyz endpoint instead of a /healthz endpoint to follow the K98s idiomatic pattern?

Since External DNS webhook only receive traffic from metrics scraping on the pod IP and its webhook API on localhost an separate endpoints for readiness probe will not add much value if any at all.
The External DNS process will call localhost:8888 without regard for the readiness probe and I am not even sure if metrics scraping even respects the readiness probe.

As @kashalls said, I think this should be in another PR.

@stevehipwell
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 10, 2024
@stevehipwell
Copy link
Contributor

@mloiseleur could you please approve this?

@Raffo
Copy link
Contributor

Raffo commented Sep 10, 2024

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Raffo, stevehipwell

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 10, 2024
@k8s-ci-robot k8s-ci-robot merged commit a087c87 into kubernetes-sigs:master Sep 10, 2024
14 checks passed
@craigcabrey
Copy link

I don't know if it was intentional or not, but this does break existing setups utilizing the webhook provider (since the port name changed).

@craigcabrey craigcabrey mentioned this pull request Sep 11, 2024
Closed
2 tasks
@kashalls
Copy link

I don't know if it was intentional or not, but this does break existing setups utilizing the webhook provider (since the port name changed).

Anything under major version v1.0.0 is considered an always breaking version.

@craigcabrey
Copy link

Not to be pedantic, but the chart version is 1.15.0.

@kashalls
Copy link

Not to be pedantic, but the chart version is 1.15.0.

My bad, I saw the release was v0.15.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehipwell stevehipwell stevehipwell requested changes

@mloiseleur mloiseleur mloiseleur left review comments

@szuecs szuecs Awaiting requested review from szuecs

Assignees

@stevehipwell stevehipwell

@mloiseleur mloiseleur

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@kimsondrup @k8s-ci-robot @mloiseleur @kashalls @stevehipwell @Raffo @craigcabrey