Add validation bypass to the webhook.

Requests made by rancher-webhook's sudo service account will bypass the webhook's validation.
rancher · Jul 13, 2023 · e6d16f9 · e6d16f9
1 parent 56151d6
commit e6d16f9
Show file tree

Hide file tree

Showing 4 changed files with 275 additions and 86 deletions.
diff --git a/charts/rancher-webhook/templates/rbac.yaml b/charts/rancher-webhook/templates/rbac.yaml
@@ -9,4 +9,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: rancher-webhook
-  namespace: {{.Release.Namespace}}
+  namespace: {{.Release.Namespace}}
diff --git a/charts/rancher-webhook/templates/serviceaccount.yaml b/charts/rancher-webhook/templates/serviceaccount.yaml
@@ -2,3 +2,10 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: rancher-webhook
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rancher-webhook-sudo
+  annotations:
+    cattle.io/description: "SA which can be impersonated to bypass rancher-webhook validation"
diff --git a/pkg/admission/admission.go b/pkg/admission/admission.go
@@ -19,7 +19,9 @@ import (
 )
 
 const (
-	webhookQualifier = "rancher.cattle.io"
+	webhookQualifier     = "rancher.cattle.io"
+	bypassServiceAccount = "system:serviceaccount:cattle-system:rancher-webhook-sudo"
+	systemMasters        = "system:masters"
 )
 
 var (
@@ -187,6 +189,13 @@ func NewValidatingHandlerFunc(handler ValidatingAdmissionHandler) http.HandlerFu
 			sendError(responseWriter, review, err)
 			return
 		}
+
+		if bypassValidation(review.Request) {
+			sendResponse(responseWriter, review, ResponseAllowed())
+			logrus.Debugf("admit bypassed: %s %s %s", webReq.Operation, webReq.Kind.String(), resourceString(webReq.Namespace, webReq.Name))
+			return
+		}
+
 		// save the response from the loop so we can return on success
 		var response *admissionv1.AdmissionResponse
 		for _, admitter := range handler.Admitters() {
@@ -198,6 +207,7 @@ func NewValidatingHandlerFunc(handler ValidatingAdmissionHandler) http.HandlerFu
 				response = &admissionv1.AdmissionResponse{}
 			}
 			logrus.Debugf("admit result: %s %s %s user=%s allowed=%v err=%v", webReq.Operation, webReq.Kind.String(), resourceString(webReq.Namespace, webReq.Name), webReq.UserInfo.Username, response.Allowed, err)
+
 			// if we get an error or are not allowed, short circuit the admits
 			if err != nil {
 				review.Response = response
@@ -223,11 +233,19 @@ func NewMutatingHandlerFunc(handler MutatingAdmissionHandler) http.HandlerFunc {
 			sendError(responseWriter, review, err)
 			return
 		}
+
+		if bypassValidation(review.Request) {
+			sendResponse(responseWriter, review, ResponseAllowed())
+			logrus.Debugf("admit bypassed: %s %s %s", webReq.Operation, webReq.Kind.String(), resourceString(webReq.Namespace, webReq.Name))
+			return
+		}
+
 		response, err := handler.Admit(webReq)
 		if response == nil {
 			response = &admissionv1.AdmissionResponse{}
 		}
 		logrus.Debugf("admit result: %s %s %s user=%s allowed=%v err=%v", webReq.Operation, webReq.Kind.String(), resourceString(webReq.Namespace, webReq.Name), webReq.UserInfo.Username, response.Allowed, err)
+
 		if err != nil {
 			review.Response = response
 			sendError(responseWriter, review, err)
@@ -347,3 +365,16 @@ func CreateWebhookName(handler WebhookHandler, suffix string) string {
 	}
 	return fmt.Sprintf("%s.%s.%s", webhookQualifier, subPath, suffix)
 }
+
+// bypassValidation users can bypass the webhook if they are the sudo account and system:masters group
+func bypassValidation(request *admissionv1.AdmissionRequest) bool {
+	if request.UserInfo.Username != bypassServiceAccount {
+		return false
+	}
+	for _, group := range request.UserInfo.Groups {
+		if group == systemMasters {
+			return true
+		}
+	}
+	return false
+}