ValidatingWebhook
Definition
A ValidatingWebhook is a Kubernetes admission controller that intercepts requests to the Kubernetes API server before they are persisted. It allows for custom validation logic to be executed, ensuring that the resource configurations meet certain criteria before they are accepted. This mechanism enhances security and compliance by enforcing policies and preventing invalid or insecure configurations from being deployed.
Secure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: example-validating-webhook
webhooks:
- name: validate.example.com
clientConfig:
service:
name: example-webhook-service
namespace: default
path: "/validate"
caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t..."
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: "Fail"
sideEffects: "None"
admissionReviewVersions: ["v1"]
Insecure Settings Example
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: insecure-validating-webhook
webhooks:
- name: insecure.example.com
clientConfig:
service:
name: insecure-webhook-service
namespace: default
path: "/validate"
caBundle: "" # Missing CA bundle
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: "Ignore" # Allows potentially invalid configurations
sideEffects: "None"
admissionReviewVersions: ["v1"]