Skip to content

Commit 87f1169

Browse files
vdkotkarvdkotkar
authored
Update webhook certs mountpath from /tmp directory to other path to eliminate security risk (#3685)
1 parent 8d79a71 commit 87f1169

File tree

4 files changed

+17
-9
lines changed

4 files changed

+17
-9
lines changed

manifests/supervisorcluster/1.30/cns-csi.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,7 @@ spec:
519519
readOnly: true
520520
- mountPath: /etc/vmware/wcp/tls/
521521
name: host-vmca
522-
- mountPath: /tmp/k8s-webhook-server/serving-certs/client-ca
522+
- mountPath: /etc/vmware/wcp/webhook-certs/client-ca
523523
name: client-ca
524524
readOnly: true
525525
- name: csi-snapshotter
@@ -818,6 +818,8 @@ spec:
818818
nodeSelector:
819819
node-role.kubernetes.io/control-plane: ""
820820
terminationGracePeriodSeconds: 10
821+
securityContext:
822+
fsGroup: 65533
821823
tolerations:
822824
- key: node-role.kubernetes.io/control-plane
823825
operator: Exists
@@ -860,11 +862,11 @@ spec:
860862
runAsUser: 65534
861863
runAsGroup: 65533
862864
volumeMounts:
863-
- mountPath: /tmp/k8s-webhook-server/serving-certs
865+
- mountPath: /etc/vmware/wcp/webhook-certs
864866
name: webhook-certs
865867
readOnly: true
866868
volumes:
867869
- name: webhook-certs
868870
secret:
869-
defaultMode: 420
871+
defaultMode: 0440
870872
secretName: vmware-system-csi-webhook-service-cert

manifests/supervisorcluster/1.31/cns-csi.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,7 @@ spec:
519519
readOnly: true
520520
- mountPath: /etc/vmware/wcp/tls/
521521
name: host-vmca
522-
- mountPath: /tmp/k8s-webhook-server/serving-certs/client-ca
522+
- mountPath: /etc/vmware/wcp/webhook-certs/client-ca
523523
name: client-ca
524524
readOnly: true
525525
- name: csi-snapshotter
@@ -818,6 +818,8 @@ spec:
818818
nodeSelector:
819819
node-role.kubernetes.io/control-plane: ""
820820
terminationGracePeriodSeconds: 10
821+
securityContext:
822+
fsGroup: 65533
821823
tolerations:
822824
- key: node-role.kubernetes.io/control-plane
823825
operator: Exists
@@ -860,11 +862,11 @@ spec:
860862
runAsUser: 65534
861863
runAsGroup: 65533
862864
volumeMounts:
863-
- mountPath: /tmp/k8s-webhook-server/serving-certs
865+
- mountPath: /etc/vmware/wcp/webhook-certs
864866
name: webhook-certs
865867
readOnly: true
866868
volumes:
867869
- name: webhook-certs
868870
secret:
869-
defaultMode: 420
871+
defaultMode: 0440
870872
secretName: vmware-system-csi-webhook-service-cert

manifests/supervisorcluster/1.32/cns-csi.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,7 @@ spec:
519519
readOnly: true
520520
- mountPath: /etc/vmware/wcp/tls/
521521
name: host-vmca
522-
- mountPath: /tmp/k8s-webhook-server/serving-certs/client-ca
522+
- mountPath: /etc/vmware/wcp/webhook-certs/client-ca
523523
name: client-ca
524524
readOnly: true
525525
- name: csi-snapshotter
@@ -818,6 +818,8 @@ spec:
818818
nodeSelector:
819819
node-role.kubernetes.io/control-plane: ""
820820
terminationGracePeriodSeconds: 10
821+
securityContext:
822+
fsGroup: 65533
821823
tolerations:
822824
- key: node-role.kubernetes.io/control-plane
823825
operator: Exists
@@ -860,11 +862,11 @@ spec:
860862
runAsUser: 65534
861863
runAsGroup: 65533
862864
volumeMounts:
863-
- mountPath: /tmp/k8s-webhook-server/serving-certs
865+
- mountPath: /etc/vmware/wcp/webhook-certs
864866
name: webhook-certs
865867
readOnly: true
866868
volumes:
867869
- name: webhook-certs
868870
secret:
869-
defaultMode: 420
871+
defaultMode: 0440
870872
secretName: vmware-system-csi-webhook-service-cert

pkg/syncer/admissionhandler/cnscsi_admissionhandler.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ const (
4343
MutationWebhookPath = "/mutate"
4444
DefaultWebhookPort = 9883
4545
DefaultWebhookMetricsBindAddress = "0"
46+
DefaultWebhookCertDir = "/etc/vmware/wcp/webhook-certs"
4647
devopsUserLabelKey = "cns.vmware.com/user-created"
4748
vmUIDLabelKey = "cns.vmware.com/vm-uid"
4849
pvcUIDLabelKey = "cns.vmware.com/pvc-uid"
@@ -113,6 +114,7 @@ func startCNSCSIWebhookManager(ctx context.Context, enableWebhookClientCertVerif
113114
},
114115
WebhookServer: webhook.NewServer(webhook.Options{
115116
Port: webhookPort,
117+
CertDir: DefaultWebhookCertDir,
116118
TLSOpts: tlsConfigOpts,
117119
ClientCAName: clientCAName,
118120
})}

0 commit comments

Comments
 (0)