webhook

package
v0.0.0-...-80c8bc4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 17, 2025 License: Apache-2.0 Imports: 38 Imported by: 219

README

Knative Webhooks

Knative provides infrastructure for authoring webhooks under knative.dev/pkg/webhook and has a few built-in helpers for certain common admission control scenarios. The built-in admission controllers are:

  1. Resource validation and defaulting (builds around apis.Validatable and apis.Defaultable under knative.dev/pkg/apis).
  2. ConfigMap validation, which builds around similar patterns from knative.dev/pkg/configmap (in particular the store concept)

To illustrate standing up the webhook, let's start with one of these built-in admission controllers and then talk about how you can write your own admission controller.

Standing up a Webhook from an Admission Controller

We provide facilities in knative.dev/pkg/injection/sharedmain to try and eliminate much of the boilerplate involved in standing up a webhook. For this example we will show how to stand up the webhook using the built-in admission controller for validating and defaulting resources.

The code to stand up such a webhook looks roughly like this:

// Create a function matching this signature to pass into sharedmain.
func NewResourceAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
	return validation.NewAdmissionController(ctx,
		// Name of the resource webhook (created via yaml)
		fmt.Sprintf("resources.webhook.%s.knative.dev", system.Namespace()),

		// The path on which to serve the webhook.
		"/resource-validation",

		// The resources to validate and default.
		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
			// List the types to validate, this from knative.dev/sample-controller
			v1alpha1.SchemeGroupVersion.WithKind("AddressableService"): &v1alpha1.AddressableService{},
		},

		// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
		func(ctx context.Context) context.Context {
			// Here is where you would infuse the context with state
			// (e.g. attach a store with configmap data, like knative.dev/serving attaches config-defaults)
			return ctx
		},

		// Whether to disallow unknown fields when parsing the resources' JSON.
		true,
	)
}

func main() {
	// Set up a signal context with our webhook options.
	ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
		// The name of the Kubernetes service selecting over this deployment's pods.
		ServiceName: "webhook",

		// The port on which to serve.
		Port:        8443,

		// The name of the secret containing certificate data.
		SecretName:  "webhook-certs",
	})

	sharedmain.MainWithContext(ctx, "webhook",
		// The certificate controller will ensure that the named secret (above) has
		// the appropriate shape for our webhook's admission controllers.
		certificates.NewController,

		// This invokes the method defined above to instantiate the resource admission
		// controller.
		NewResourceAdmissionController,
	)
}

There is also a config map validation admission controller built in under knative.dev/pkg/webhook/configmaps.

TLS Configuration

The webhook server supports configuring TLS parameters through the webhook.Options struct. This allows you to control the TLS version, cipher suites, and elliptic curve preferences for enhanced security.

Available TLS Options

type Options struct {
    // ... other fields ...

    // TLSMinVersion contains the minimum TLS version that is acceptable.
    // Default is TLS 1.3 if not specified.
    // Supported values: tls.VersionTLS12, tls.VersionTLS13
    TLSMinVersion uint16

    // TLSMaxVersion contains the maximum TLS version that is acceptable.
    // If not set (0), the maximum version supported by the implementation will be used.
    // Useful for enforcing Modern profile (TLS 1.3 only) by setting both
    // TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
    TLSMaxVersion uint16

    // TLSCipherSuites specifies the list of enabled cipher suites.
    // If empty, a default list of secure cipher suites will be used.
    // Note: Cipher suites are not configurable in TLS 1.3; they are
    // determined by the implementation.
    TLSCipherSuites []uint16

    // TLSCurvePreferences specifies the elliptic curves that will be used
    // in an ECDHE handshake. If empty, the default curves will be used.
    TLSCurvePreferences []tls.CurveID
}

Environment Variable Configuration

You can also configure the minimum TLS version via the WEBHOOK_TLS_MIN_VERSION environment variable:

env:
  - name: WEBHOOK_TLS_MIN_VERSION
    value: "1.3"  # or "1.2"

Usage Examples

By default, the webhook uses TLS 1.3 as the minimum version with secure defaults:

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName: "webhook",
    Port:        8443,
    SecretName:  "webhook-certs",
    // TLS defaults: MinVersion=1.3, secure cipher suites and curves
})
Example 2: Modern Profile (TLS 1.3 Only)

To enforce TLS 1.3 only (highest security profile):

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName:   "webhook",
    Port:          8443,
    SecretName:    "webhook-certs",
    TLSMinVersion: tls.VersionTLS13,
    TLSMaxVersion: tls.VersionTLS13,  // Enforce TLS 1.3 only
})
Example 3: Intermediate Profile (TLS 1.2+)

For broader compatibility while maintaining security:

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName:   "webhook",
    Port:          8443,
    SecretName:    "webhook-certs",
    TLSMinVersion: tls.VersionTLS12,
})
Example 4: Custom Cipher Suites

To specify custom cipher suites (for TLS 1.2):

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName:   "webhook",
    Port:          8443,
    SecretName:    "webhook-certs",
    TLSMinVersion: tls.VersionTLS12,
    TLSCipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
    },
})
Example 5: Custom Elliptic Curves

To specify elliptic curve preferences:

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName:   "webhook",
    Port:          8443,
    SecretName:    "webhook-certs",
    TLSCurvePreferences: []tls.CurveID{
        tls.X25519,    // Preferred
        tls.CurveP256,
        tls.CurveP384,
    },
})
Example 6: Complete Custom Configuration

For full control over TLS parameters:

ctx := webhook.WithOptions(signals.NewContext(), webhook.Options{
    ServiceName:   "webhook",
    Port:          8443,
    SecretName:    "webhook-certs",
    TLSMinVersion: tls.VersionTLS12,
    TLSMaxVersion: tls.VersionTLS13,
    TLSCipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
    },
    TLSCurvePreferences: []tls.CurveID{
        tls.X25519,
        tls.CurveP256,
    },
})

Writing new Admission Controllers

To implement your own admission controller akin to the resource defaulting and validation controller above, you implement a knative.dev/pkg/controller.Reconciler as with any you would with any other type of controller, but the Reconciler that gets embedded in the *controller.Impl should also implement:

// AdmissionController provides the interface for different admission controllers
type AdmissionController interface {
	// Path returns the path that this particular admission controller serves on.
	Path() string

	// Admit is the callback which is invoked when an HTTPS request comes in on Path().
	Admit(context.Context, *admissionv1beta1.AdmissionRequest) *admissionv1beta1.AdmissionResponse
}

The Reconciler part is responsible for the mutating or validating webhook configuration. The AdmissionController part is responsible for guiding request dispatch (Path()) and handling admission requests (Admit()).

Documentation

Index

Constants

View Source 
const (
	// AdmissionReviewUID is the key used to represent the admission review
	// request/response UID in logs
	AdmissionReviewUID = "admissionreview/uid"

	// AdmissionReviewAllowed is the key used to represent whether or not
	// the admission request was permitted in logs
	AdmissionReviewAllowed = "admissionreview/allowed"

	// AdmissionReviewResult is the key used to represent extra details into
	// why an admission request was denied in logs
	AdmissionReviewResult = "admissionreview/result"

	// AdmissionReviewPatchType is the key used to represent the type of Patch in logs
	AdmissionReviewPatchType = "admissionreview/patchtype"
)
View Source 
const (
	WebhookTypeAdmission  = "admission"
	WebhookTypeDefaulting = "defaulting"
	WebhookTypeValidation = "validation"
	WebhookTypeConversion = "conversion"
)

Variables

View Source 
var (
	// WebhookType is an attribute that specifies whether the type of webhook is an admission
	// eg. (defaulting/validation) or conversion
	WebhookTypeAttr = attributekey.String("kn.webhook.type")

	GroupAttr       = attributekey.String("kn.webhook.resource.group")
	VersionAttr     = attributekey.String("kn.webhook.resource.version")
	KindAttr        = attributekey.String("kn.webhook.resource.kind")
	SubresourceAttr = attributekey.String("kn.webhook.subresource")
	OperationAttr   = attributekey.String("kn.webhook.operation.type")
	StatusAttr      = attributekey.String("kn.webhook.operation.status")
)

Functions

func DisableNamespaceOwnershipFromEnv 

func DisableNamespaceOwnershipFromEnv() *bool

func EnsureLabelSelectorExpressions 

func EnsureLabelSelectorExpressions(
	current *metav1.LabelSelector,
	want *metav1.LabelSelector,
) *metav1.LabelSelector

EnsureLabelSelectorExpressions merges the current label selector's MatchExpressions with the ones wanted. It keeps all non-knative keys intact, removes all knative-keys no longer wanted and adds all knative-keys not yet there.

func MakeErrorStatus 

func MakeErrorStatus(reason string, args ...any) *admissionv1.AdmissionResponse

MakeErrorStatus creates an 'BadRequest' error AdmissionResponse

func NameFromEnv 

func NameFromEnv() string

func PortFromEnv 

func PortFromEnv(defaultPort int) int

PortFromEnv returns the webhook port set by portEnvKey, or default port if env var is not set.

func SecretNameFromEnv 

func SecretNameFromEnv(defaultSecretName string) string

func TLSMinVersionFromEnv 

func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16

func WithOptions 

func WithOptions(ctx context.Context, opt Options) context.Context

WithOptions associates a set of webhook.Options with the returned context.

Types

type AdmissionController 

type AdmissionController interface {
	// Path returns the path that this particular admission controller serves on.
	Path() string

	// Admit is the callback which is invoked when an HTTPS request comes in on Path().
	Admit(context.Context, *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse
}

AdmissionController provides the interface for different admission controllers

type ConversionController 

type ConversionController interface {
	// Path returns the path that this particular conversion controller serves on.
	Path() string

	// Convert is the callback which is invoked when an HTTPS request comes in on Path().
	Convert(context.Context, *apixv1.ConversionRequest) *apixv1.ConversionResponse
}

ConversionController provides the interface for different conversion controllers

type Operation 

type Operation = admissionv1.Operation

Operation is the verb being operated on it is aliased in Validation from the k8s admission package 

const (
	Create  Operation = admissionv1.Create
	Update  Operation = admissionv1.Update
	Delete  Operation = admissionv1.Delete
	Connect Operation = admissionv1.Connect
)

Operation types

type Options 

type Options struct {
	// TLSMinVersion contains the minimum TLS version that is acceptable to communicate with the API server.
	// TLS 1.3 is the minimum version if not specified otherwise.
	TLSMinVersion uint16

	// TLSMaxVersion contains the maximum TLS version that is acceptable.
	// If not set (0), the maximum version supported by the implementation will be used.
	// This is useful for enforcing Modern profile (TLS 1.3 only) by setting both
	// TLSMinVersion and TLSMaxVersion to tls.VersionTLS13.
	TLSMaxVersion uint16

	// TLSCipherSuites specifies the list of enabled cipher suites.
	// If empty, a default list of secure cipher suites will be used.
	// Note: Cipher suites are not configurable in TLS 1.3; they are determined by the implementation.
	TLSCipherSuites []uint16

	// TLSCurvePreferences specifies the elliptic curves that will be used in an ECDHE handshake.
	// If empty, the default curves will be used.
	TLSCurvePreferences []tls.CurveID

	// ServiceName is the service name of the webhook.
	ServiceName string

	// SecretName is the name of k8s secret that contains the webhook
	// server key/cert and corresponding CA cert that signed them. The
	// server key/cert are used to serve the webhook and the CA cert
	// is provided to k8s apiserver during admission controller
	// registration.
	// If no SecretName is provided, then the webhook serves without TLS.
	SecretName string

	// ServerPrivateKeyName is the name for the webhook secret's data key e.g. `tls.key`.
	// Default value is `server-key.pem` if no value is passed.
	ServerPrivateKeyName string

	// ServerCertificateName is the name for the webhook secret's ca data key e.g. `tls.crt`.
	// Default value is `server-cert.pem` if no value is passed.
	ServerCertificateName string

	// Port where the webhook is served. Per k8s admission
	// registration requirements this should be 443 unless there is
	// only a single port for the service.
	Port int

	// GracePeriod is how long to wait after failing readiness probes
	// before shutting down.
	GracePeriod time.Duration

	// DisableNamespaceOwnership configures if the SYSTEM_NAMESPACE is added as an owner reference to the
	// webhook configuration resources. Overridden by the WEBHOOK_DISABLE_NAMESPACE_OWNERSHIP environment variable.
	// Disabling can be useful to avoid breaking systems that expect ownership to indicate a true controller
	// relationship: https://github.com/knative/serving/issues/15483
	DisableNamespaceOwnership bool

	// ControllerOptions encapsulates options for creating a new controller,
	// including throttling and stats behavior.
	ControllerOptions *controller.ControllerOptions

	// EnableHTTP2 enables HTTP2 for webhooks.
	// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
	// standard library and golang.org/x/net are fully fixed.
	// Right now, it is possible for authenticated and unauthenticated users to
	// hold open HTTP2 connections and consume huge amounts of memory.
	// See:
	// * https://github.com/kubernetes/kubernetes/pull/121120
	// * https://github.com/kubernetes/kubernetes/issues/121197
	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
	EnableHTTP2 bool

	// MeterProvider is used to configure the MeterProvider used by the webhook
	// If nil it will use the global meter provider
	MeterProvider metric.MeterProvider

	// TracerProvider is used to config the TracerProvider used by the webhook
	// if nil it will use the global tracer provider
	TracerProvider trace.TracerProvider

	// TextMapPropagator is used to configure the TextMapPropagator used by the webhook
	// if nil it will use the global text map propagator
	TextMapPropagator propagation.TextMapPropagator
}

Options contains the configuration for the webhook

func GetOptions 

func GetOptions(ctx context.Context) *Options

GetOptions retrieves webhook.Options associated with the given context via WithOptions (above).

type StatelessAdmissionController 

type StatelessAdmissionController interface {
	// A silly name that should avoid collisions.
	ThisTypeDoesNotDependOnInformerState()
}

StatelessAdmissionController is implemented by AdmissionControllers where Admit may be safely called before informers have finished syncing. This is implemented by inlining StatelessAdmissionImpl in your Go type.

type StatelessAdmissionImpl 

type StatelessAdmissionImpl struct{}

StatelessAdmissionImpl marks a reconciler as stateless. Inline this type to implement StatelessAdmissionController.

func (StatelessAdmissionImpl) ThisTypeDoesNotDependOnInformerState 

func (sai StatelessAdmissionImpl) ThisTypeDoesNotDependOnInformerState()

type Webhook 

type Webhook struct {
	Options Options
	Logger  *zap.SugaredLogger
	// contains filtered or unexported fields
}

Webhook implements the external webhook for validation of resources and configuration.

func New 

func New(
	ctx context.Context,
	controllers []interface{},
) (webhook *Webhook, err error)

New constructs a Webhook

func (*Webhook) InformersHaveSynced 

func (wh *Webhook) InformersHaveSynced()

InformersHaveSynced is called when the informers have all been synced, which allows any outstanding admission webhooks through.

func (*Webhook) Run 

func (wh *Webhook) Run(stop <-chan struct{}) error

Run implements the admission controller run loop.

func (*Webhook) ServeHTTP 

func (wh *Webhook) ServeHTTP(w http.ResponseWriter, r *http.Request)

Source Files

View all Source files

Directories

Path Synopsis
resources
Package psbinding provides facilities to make authoring Bindings that work with "Pod Spec"-able subjects easier.
 Package psbinding provides facilities to make authoring Bindings that work with "Pod Spec"-able subjects easier.
conversion
conversion/internal
defaulting
validation

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.