Conversation
Bump the kube-rbac-proxy sidecar image from v0.18.1 to v0.21.0. The legacy manager_auth_proxy_patch.yaml is also updated from the stale gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 reference. Assisted-by: Claude Upus 4.6 <noreply@anthropic.com> Signed-off-by: Ram Lavi <ralavi@redhat.com>
The --logtostderr flag was removed in klog v2+ and has no effect since stderr is the default output. Also remove --v=10 from the unused legacy patch file. Assisted-by: Claude Upus 4.6 <noreply@anthropic.com> Signed-off-by: Ram Lavi <ralavi@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security posture of kubemacpool by introducing comprehensive and configurable TLS settings for its webhook and metrics proxy endpoints. Previously, these endpoints relied on default or outdated TLS configurations, which led to security vulnerabilities flagged by scanners. The changes standardize TLS versioning, update the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request effectively addresses the need for explicit TLS configuration for kubemacpool's webhook and metrics proxy endpoints, which is a great security enhancement. The changes to introduce configurable TLS versions and cipher suites, along with updating kube-rbac-proxy, are well-implemented. The Go code changes are clean and correct. My main feedback is about the duplication of the long cipher suite strings across multiple YAML files. While the changes are functionally correct, this duplication could pose a maintainability challenge in the future. Please see my specific comments on this.
Pass --tls-min-version and --tls-cipher-suites to the kube-rbac-proxy sidecar so the :8443 metrics endpoint enforces a TLS security profile. Default to VersionTLS13 for stronger security. TLS 1.3 cipher suites are not configurable in Go — they are always enabled — so --tls-cipher-suites is omitted. Assisted-by: Claude Upus 4.6 <noreply@anthropic.com> Signed-off-by: Ram Lavi <ralavi@redhat.com>
Currently Kubemacpool webhook allows internally configuring the TLS_MIN_VERSION and TLS_CIPHERS, but the manifests never configured them. This commit explicitly sets TLS_MIN_VERSION and TLS_CIPHERS environment variables on the manager container so the webhook server enforces a TLS security profile. Default to TLS 1.3 for stronger security. TLS 1.3 cipher suites are always enabled in Go and not individually configurable, so TLS_CIPHERS is left empty. Assisted-by: Claude Upus 4.6 <noreply@anthropic.com> Signed-off-by: Ram Lavi <ralavi@redhat.com>
Kube-admissions-webhook [0], which consumes the TLS_MIN_VERSION env var on kubemacpool - accepts TLS_MIN_VERSION from human-readable format (e.g. "1.3"). Align TLS_MIN_VERSION with Go crypto/tls constant names (e.g. "VersionTLS13") and internal wrapper translate foe kube-admissions-webhook using a helper goTLSVersionToHumanReadable. This allows deployers like CNAO to use a single TLS version format for both the webhook and kube-rbac-proxy containers. [0] https://github.com/qinqon/kube-admission-webhook Assisted-by: Claude Upus 4.6 <noreply@anthropic.com> Signed-off-by: Ram Lavi <ralavi@redhat.com>
RamLavi
force-pushed
the
kmp_enforce-kube-rbac-tls
branch
from
38ee7ce to
82c28cc
Compare
|
Change: Move to TLS 1.3 default |
|
gemini-code-assist is the code OK now? Can you re-review? |
|
Thanks for the prompt re-review, RamLavi! I've re-reviewed the code, focusing on the changes made since the last review. The TLS configurations and the updated |
|
@maiqueb: changing LGTM is restricted to collaborators DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| - --upstream=http://127.0.0.1:8080 | ||
| - --proxy-endpoints-port=8643 | ||
| - --tls-min-version=VersionTLS13 | ||
| - --tls-cipher-suites= |
There was a problem hiding this comment.
Please consider omit this flag because it not used.
There was a problem hiding this comment.
I checked and it is fine to keep it empty. I think it's not worth it to omit it conditionally..
There was a problem hiding this comment.
Why conditionally?
It use TLS 1.3 by default so no ciphers needed, right?
| - name: TLS_CIPHERS | ||
| value: "" |
There was a problem hiding this comment.
Please consider ommit this env var because its not used.
| func AddToManager(mgr manager.Manager, poolManager *pool_manager.PoolManager) error { | ||
|
|
||
| tlsMinVersion, err := kawtls.TLSVersion(tlsMinVersion()) | ||
| tlsMinVersion, err := kawtls.TLSVersion(goTLSVersionToHumanReadable(tlsMinVersion())) |
There was a problem hiding this comment.
Why do we need this translation if Go constant names are expected to be used by all components in the stack? (CNAO, KAW)
There was a problem hiding this comment.
For some reason KAW decided on the human readable format. We can change that and then bump. But I suggest we do it on a follow up PR, you if want
There was a problem hiding this comment.
We can drop kawtls.TLSVersion() usage altogether, and have simple translation from Go's TLS version constant name to IDs, for example https://github.com/kubevirt/ipam-extensions/blob/main/pkg/config/tls.go#L25-L35 (or use component-base).
|
I know its not the PR scope but it would be nice to expose flags for the TLS settings instead of the existing env vars (similar to other projects). |
well it would be nice to use the "--help" functionality but in the end I don't see much merit in it, becuase:
|
Flags are much more easy to work with and allow setting default values, no need for kustomize mambojambo.
Well then we should revisit what should be considered environmental and is an application argument. I dont want to make more noise , I will post an issue and we can discuss it there. |
4 participants
What this PR does / why we need it:
kubemacpool's two TLS endpoints (webhook on :8000, metrics proxy on :8443) had no explicit TLS configuration — the webhook was falling back to TLS 1.0, and kube-rbac-proxy used its built-in defaults.
This PR:
Defaults: TLS 1.3 minimum, modern-equivalent cipher list. Deployers like CNAO can override with a single TLS version value for both containers.
Special notes for your reviewer:
Release note: