feat: add validating webhook for run-levels

SequeI · SequeI · commit 341a9d169302 · 2025-10-29T11:03:03.000Z
Signed-off-by: SequeI &lt;asiek@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -113,8 +113,8 @@ help: ## Display this help.
 ##@ Development
 
 .PHONY: manifests
-manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
+manifests: controller-gen ## Generate ClusterRole and CustomResourceDefinition objects.
+	$(CONTROLLER_GEN) rbac:roleName=manager-role crd paths="./..." output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate
 generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
diff --git a/api/v1alpha1/securesign_types.go b/api/v1alpha1/securesign_types.go
@@ -73,6 +73,7 @@ type SecuresignTSAStatus struct {
 //+kubebuilder:printcolumn:name="Rekor URL",type=string,JSONPath=`.status.rekor.url`,description="The rekor url"
 //+kubebuilder:printcolumn:name="Fulcio URL",type=string,JSONPath=`.status.fulcio.url`,description="The fulcio url"
 //+kubebuilder:printcolumn:name="Tuf URL",type=string,JSONPath=`.status.tuf.url`,description="The tuf url"
+//+kubebuilder:webhook:path=/validate,mutating=false,failurePolicy=fail,groups=rhtas.redhat.com,resources=securesigns,verbs=create,versions=v1alpha1,name=securesign.rhtas.redhat.com,sideEffects=None,admissionReviewVersions=v1
 
 // Securesign is the Schema for the securesigns API
 type Securesign struct {
diff --git a/cmd/main.go b/cmd/main.go
@@ -62,6 +62,7 @@ import (
 	"github.com/securesign/operator/internal/controller/trillian"
 	"github.com/securesign/operator/internal/controller/tsa"
 	"github.com/securesign/operator/internal/controller/tuf"
+	rhtas_webhook "github.com/securesign/operator/internal/webhook"
 	//+kubebuilder:scaffold:imports
 )
 
@@ -195,6 +196,17 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := ctrl.NewWebhookManagedBy(mgr).
+		For(&rhtasv1alpha1.Securesign{}).
+		WithValidator(&rhtas_webhook.SecureSignValidator{
+			Client: mgr.GetClient(),
+		}).
+		WithCustomPath("/validate").
+		Complete(); err != nil {
+		setupLog.Error(err, "unable to create SecureSign validating webhook")
+		os.Exit(1)
+	}
+
 	setupController("securesign", securesign.NewReconciler, mgr)
 	setupController("fulcio", fulcio.NewReconciler, mgr)
 	setupController("trillian", trillian.NewReconciler, mgr)
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -15,9 +15,6 @@ namePrefix: rhtas-
 #commonLabels:
 #  someName: someValue
 
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
-# crd/kustomization.yaml
-#- ../webhook
 # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
 #- ../certmanager
 # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
@@ -26,6 +23,7 @@ resources:
 - ../rbac
 - ../manager
 - ../prometheus
+- ../webhook
 
 patches:
 - path: manager_metrics_patch.yaml
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -67,6 +67,10 @@ spec:
         - --leader-elect
         image: controller:latest
         name: manager
+        volumeMounts:
+        - name: webhook-cert
+          mountPath: /tmp/k8s-webhook-server/serving-certs
+          readOnly: true
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
@@ -97,3 +101,8 @@ spec:
             memory: 64Mi
       serviceAccountName: operator-controller-manager
       terminationGracePeriodSeconds: 10
+      volumes:
+      - name: webhook-cert
+        secret:
+          secretName: webhook-server-tls
+
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
@@ -0,0 +1,3 @@
+resources:
+  - service.yaml
+  - webhook.yaml
diff --git a/config/webhook/service.yaml b/config/webhook/service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: controller-manager-webhook-service
+  namespace: system
+  labels:
+    control-plane: operator-controller-manager
+  annotations:
+    service.beta.openshift.io/serving-cert-secret-name: webhook-server-tls
+spec:
+  ports:
+    - name: https-webhook
+      port: 443
+      targetPort: 9443
+      protocol: TCP
+  selector:
+    control-plane: operator-controller-manager
diff --git a/config/webhook/webhook.yaml b/config/webhook/webhook.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validation.securesigns.rhtas.redhat.com
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: controller-manager-webhook-service
+      namespace: system
+      path: /validate
+  failurePolicy: Fail
+  name: validation.securesigns.rhtas.redhat.com
+  rules:
+  - apiGroups:
+    - rhtas.redhat.com
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    resources:
+    - securesigns
+  sideEffects: None
diff --git a/internal/webhook/securesign_validator.go b/internal/webhook/securesign_validator.go
@@ -0,0 +1,52 @@
+package webhooks
+
+import (
+	"context"
+	"fmt"
+
+	rhtasv1alpha1 "github.com/securesign/operator/api/v1alpha1"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	admission "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+func (v *SecureSignValidator) ValidateCreate(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	reqLog := logf.FromContext(ctx)
+	operandCR, ok := obj.(*rhtasv1alpha1.Securesign)
+	if !ok {
+		return nil, fmt.Errorf("expected SecureSign CR but got %T", obj)
+	}
+
+	targetNamespace := operandCR.GetNamespace()
+
+	if targetNamespace == "default" {
+		reqLog.Info("Validation failed: Deployment blocked in 'default' namespace.")
+		return nil, fmt.Errorf("installation into the 'default' namespace is prohibited by RHTAS policy")
+	}
+
+	ns := &corev1.Namespace{}
+
+	if err := v.Client.Get(ctx, types.NamespacedName{Name: targetNamespace}, ns); err != nil {
+		reqLog.Error(err, "Failed to retrieve target namespace object for validation.")
+		return nil, fmt.Errorf("failed to retrieve target namespace %s: %w", targetNamespace, err)
+	}
+
+	runLevel, found := ns.Labels["openshift.io/run-level"]
+	if found && reservedRunLevels[runLevel] {
+		reqLog.Info("Validation failed: Deployment blocked in reserved namespace.",
+			"namespace", targetNamespace, "run-level", runLevel)
+		return nil, fmt.Errorf("installation into reserved OpenShift namespace '%s' (run-level %s) is prohibited by RHTAS policy", targetNamespace, runLevel)
+	}
+
+	return nil, nil
+}
+
+func (v *SecureSignValidator) ValidateUpdate(ctx context.Context, oldObj, newObj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func (v *SecureSignValidator) ValidateDelete(ctx context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
diff --git a/internal/webhook/webhooks.go b/internal/webhook/webhooks.go
@@ -0,0 +1,20 @@
+package webhooks
+
+import (
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	admission "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// SecureSignValidator checks for namespace security policy compliance.
+type SecureSignValidator struct {
+	Client client.Client
+}
+
+var _ admission.CustomValidator = &SecureSignValidator{}
+
+// Reserved OpenShift run-level labels to block
+var reservedRunLevels = map[string]bool{
+	"0": true, // Critical infrastructure
+	"1": true, // Infrastructure
+	"9": true, // General platform services
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+resources:`
	`2`	`+ - service.yaml`
	`3`	`+ - webhook.yaml`