mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 09:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4691 from neticdk/webhook-api-change

Browse Source 
Do not risk exposing unauthenticated webhook port on container
This commit is contained in:
Kubernetes Prow Robot 2024-09-10 20:21:26 +01:00 committed by GitHub
commit a087c87ba1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 25 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
charts/external-dns/CHANGELOG.md
View File

@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Fixed `provider.webhook.resources` behavior to correctly leverage resource limits ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560)) - Fixed `provider.webhook.resources` behavior to correctly leverage resource limits ([#4560](https://github.com/kubernetes-sigs/external-dns/pull/4560))
- Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_ - Fixed `provider.webhook.imagePullPolicy` behavior to correctly leverage pull policy ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- Add correct webhook metric port to `Service` and `ServiceMonitor` ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_ - Add correct webhook metric port to `Service` and `ServiceMonitor` ([#4643](https://github.com/kubernetes-sigs/external-dns/pull/4643)) _@kimsondrup_
- No longer require the unauthenticated webhook provider port to be exposed for health probes ([#4691](https://github.com/kubernetes-sigs/external-dns/pull/4691)) _@kimsondrup_ _@hatrx_
## [v1.14.5] - 2023-06-10 ## [v1.14.5] - 2023-06-10

2
charts/external-dns/README.md
View File

@ -133,7 +133,7 @@ If `namespaced` is set to `true`, please ensure that `sources` my only contains
| provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. | | provider.webhook.readinessProbe | object | See _values.yaml_ | [Readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) configuration for the `webhook` container. |
| provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. | | provider.webhook.resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the `webhook` container. |
| provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. | | provider.webhook.securityContext | object | See _values.yaml_ | [Pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for the `webhook` container. |
| provider.webhook.service.metricsPort | int | `8080` | Webhook metrics port for the service. | | provider.webhook.service.port | int | `8080` | Webhook exposed HTTP port for the service. |
| provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. | | provider.webhook.serviceMonitor | object | See _values.yaml_ | Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. |
| rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. | | rbac.additionalPermissions | list | `[]` | Additional rules to add to the `ClusterRole`. |
| rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. | | rbac.create | bool | `true` | If `true`, create a `ClusterRole` & `ClusterRoleBinding` with access to the Kubernetes API. |

3
charts/external-dns/templates/deployment.yaml
View File

@ -158,9 +158,6 @@ spec:
{{- end }} {{- end }}
ports: ports:
- name: http-webhook - name: http-webhook
protocol: TCP
containerPort: 8888
- name: http-wh-metrics
protocol: TCP protocol: TCP
containerPort: 8080 containerPort: 8080
livenessProbe: livenessProbe:

6
charts/external-dns/templates/service.yaml
View File

@ -28,9 +28,9 @@ spec:
protocol: TCP protocol: TCP
{{- if eq $providerName "webhook" }} {{- if eq $providerName "webhook" }}
{{- with .Values.provider.webhook.service }} {{- with .Values.provider.webhook.service }}
- name: http-wh-metrics - name: http-webhook
port: {{ .metricsPort }} port: {{ .port }}
targetPort: http-wh-metrics targetPort: http-webhook
protocol: TCP protocol: TCP
{{- end }} {{- end }}
{{- end }} {{- end }}

2
charts/external-dns/templates/servicemonitor.yaml
View File

@ -51,7 +51,7 @@ spec:
{{- end }} {{- end }}
{{- if eq $providerName "webhook" }} {{- if eq $providerName "webhook" }}
{{- with .Values.provider.webhook.serviceMonitor }} {{- with .Values.provider.webhook.serviceMonitor }}
- port: http-wh-metrics - port: http-webhook
path: /metrics path: /metrics
{{- with .interval }} {{- with .interval }}
interval: {{ . }} interval: {{ . }}

4
charts/external-dns/values.yaml
View File

@ -270,8 +270,8 @@ provider:
failureThreshold: 6 failureThreshold: 6
successThreshold: 1 successThreshold: 1
service: service:
# -- Webhook metrics port for the service. # -- Webhook exposed HTTP port for the service.
metricsPort: 8080 port: 8080
# -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container. # -- Optional [Service Monitor](https://prometheus-operator.dev/docs/operator/design/#servicemonitor) configuration for the `webhook` container.
# @default -- See _values.yaml_ # @default -- See _values.yaml_
serviceMonitor: serviceMonitor:

26
docs/tutorials/webhook-provider.md
View File

@ -16,24 +16,32 @@ Providers implementing the HTTP API have to keep in sync with changes to the JSO
The following table represents the methods to implement mapped to their HTTP method and route. The following table represents the methods to implement mapped to their HTTP method and route.
| Provider method | HTTP Method | Route |
| --- | --- | --- | ### Provider endpoints
| Records | GET | /records |
| AdjustEndpoints | POST | /adjustendpoints | | Provider method | HTTP Method | Route | Description |
| ApplyChanges | POST | /records | | --------------- | ----------- | ---------------- | ---------------------------------------- |
| K8s probe | GET | /healthz | | Negotiate | GET | / | Negotiate `DomainFilter` |
| Records | GET | /records | Get records |
| AdjustEndpoints | POST | /adjustendpoints | Provider specific adjustments of records |
| ApplyChanges | POST | /records | Apply record |
ExternalDNS will also make requests to the `/` endpoint for negotiation and for deserialization of the `DomainFilter`. ExternalDNS will also make requests to the `/` endpoint for negotiation and for deserialization of the `DomainFilter`.
The server needs to respond to those requests by reading the `Accept` header and responding with a corresponding `Content-Type` header specifying the supported media type format and version. The server needs to respond to those requests by reading the `Accept` header and responding with a corresponding `Content-Type` header specifying the supported media type format and version.
The default recommended port is 8888, and should listen only on localhost (ie: only accessible for k8s probes and external-dns). The default recommended port for the provider endpoints is `8888`, and should listen only on `localhost` (ie: only accessible for external-dns).
**NOTE**: only `5xx` responses will be retried and only `20x` will be considered as successful. All status codes different from those will be considered a failure on ExternalDNS's side. **NOTE**: only `5xx` responses will be retried and only `20x` will be considered as successful. All status codes different from those will be considered a failure on ExternalDNS's side.
## Metrics support ### Exposed endpoints
The metrics should listen ":8080" on `/metrics` following [Open Metrics](https://github.com/OpenObservability/OpenMetrics) format. | Provider method | HTTP Method | Route | Description |
| --------------- | ----------- | -------- | -------------------------------------------------------------------------------------------- |
| K8s probe | GET | /healthz | Used by `livenessProbe` and `readinessProbe` |
| Open Metrics | GET | /metrics | Optional endpoint to expose [Open Metrics](https://github.com/OpenObservability/OpenMetrics) |
The default recommended port for the exposed endpoints is `8080`, and it should be bound to all interfaces (`0.0.0.0`)
## Custom Annotations ## Custom Annotations