Many suspicious subjectaccessreview requests #12
Description
Logs
I0115 13:55:33.961285 1 handler.go:286] Adding GroupVersion acme.cloud.yandex.com v1alpha1 to ResourceManager
I0115 13:55:34.025140 1 requestheader_controller.go:169] Starting RequestHeaderAuthRequestController
I0115 13:55:34.025186 1 shared_informer.go:313] Waiting for caches to sync for RequestHeaderAuthRequestController
I0115 13:55:34.025257 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file"
I0115 13:55:34.025279 1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
I0115 13:55:34.025268 1 configmap_cafile_content.go:202] "Starting controller" name="client-ca::kube-system::extension-apiserver-authentication::client-ca-file"
I0115 13:55:34.025349 1 shared_informer.go:313] Waiting for caches to sync for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0115 13:55:34.031898 1 secure_serving.go:213] Serving securely on :8443
I0115 13:55:34.032075 1 dynamic_serving_content.go:132] "Starting controller" name="serving-cert::/tls/tls.crt::/tls/tls.key"
I0115 13:55:34.032261 1 tlsconfig.go:240] "Starting DynamicServingCertificateController"
I0115 13:55:34.128202 1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file
I0115 13:55:34.130405 1 shared_informer.go:320] Caches are synced for RequestHeaderAuthRequestController
I0115 13:55:34.130525 1 shared_informer.go:320] Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file
E0115 14:03:36.365796 1 webhook.go:275] Failed to make webhook authorizer request: Post "https://10.96.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s": context canceled
E0115 14:03:36.366090 1 errors.go:77] Post "https://10.96.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s": context canceled
E0115 14:03:36.366187 1 timeout.go:142] post-timeout activity - time-elapsed: 10.1µs, GET "/apis/acme.cloud.yandex.com/v1alpha1" result: <nil>
E0115 14:04:03.440870 1 webhook.go:275] Failed to make webhook authorizer request: Post "https://10.96.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s": context canceled
E0115 14:04:03.440972 1 errors.go:77] Post "https://10.96.0.1:443/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s": context canceled
E0115 14:04:03.441047 1 timeout.go:142] post-timeout activity - time-elapsed: 312.1µs, GET "/apis/acme.cloud.yandex.com/v1alpha1" result: <nil>
Audit logs from control plane
{
"kind":"Event",
"apiVersion":"audit.k8s.io/v1",
"level":"RequestResponse",
"auditID":"0ba2c8c4-eed1-4fac-b48a-e784614704cb",
"stage":"ResponseComplete",
"requestURI":"/apis/authorization.k8s.io/v1/subjectaccessreviews?timeout=10s",
"verb":"create",
"user":{
"username":"system:serviceaccount:infra-cert-manager:cert-manager-webhook-yandex-yc",
"uid":"b5eccfbc-5776-4580-bde1-2dc77bd3e344",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:infra-cert-manager",
"system:authenticated"
],
"extra":{
"authentication.kubernetes.io/credential-id":[
"JTI=c0617a9b-811b-4775-aaec-c16d2e00b82f"
],
"authentication.kubernetes.io/node-name":[
"k8s-node-15"
],
"authentication.kubernetes.io/node-uid":[
"dc06ae8c-58f7-44b9-b18c-83ed2bfd75be"
],
"authentication.kubernetes.io/pod-name":[
"cert-manager-webhook-yandex-yc-6459545fd4-x2t8t"
],
"authentication.kubernetes.io/pod-uid":[
"7c8591b7-ec75-40a8-8cac-c6b2812bb564"
]
}
},
"sourceIPs":[
"10.0.30.75"
],
"userAgent":"webhook/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef":{
"resource":"subjectaccessreviews",
"apiGroup":"authorization.k8s.io",
"apiVersion":"v1"
},
"responseStatus":{
"metadata":{
},
"code":201
},
"requestObject":{
"kind":"SubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"nonResourceAttributes":{
"path":"/apis/acme.cloud.yandex.com/v1alpha1",
"verb":"get"
},
"user":"system:serviceaccount:kyverno:kyverno-admission-controller",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:kyverno",
"system:authenticated"
],
"extra":{
"authentication.kubernetes.io/credential-id":[
"JTI=bacbc95e-f63d-4c48-bdc2-b49a4b9cd73b"
],
"authentication.kubernetes.io/node-name":[
"k8s-node-14"
],
"authentication.kubernetes.io/node-uid":[
"47b8a1bf-8361-4099-95d0-273876c6d722"
],
"authentication.kubernetes.io/pod-name":[
"kyverno-admission-controller-5d4b6b9685-b6kl8"
],
"authentication.kubernetes.io/pod-uid":[
"23f2a75f-6922-4f2e-874a-cb1014829d2a"
]
}
},
"status":{
"allowed":false
}
},
"responseObject":{
"kind":"SubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null,
"managedFields":[
{
"manager":"webhook",
"operation":"Update",
"apiVersion":"authorization.k8s.io/v1",
"time":"2025-01-15T13:18:36Z",
"fieldsType":"FieldsV1",
"fieldsV1":{
"f:spec":{
"f:extra":{
".":{
},
"f:authentication.kubernetes.io/credential-id":{
},
"f:authentication.kubernetes.io/node-name":{
},
"f:authentication.kubernetes.io/node-uid":{
},
"f:authentication.kubernetes.io/pod-name":{
},
"f:authentication.kubernetes.io/pod-uid":{
}
},
"f:groups":{
},
"f:nonResourceAttributes":{
".":{
},
"f:path":{
},
"f:verb":{
}
},
"f:user":{
}
}
}
}
]
},
"spec":{
"nonResourceAttributes":{
"path":"/apis/acme.cloud.yandex.com/v1alpha1",
"verb":"get"
},
"user":"system:serviceaccount:kyverno:kyverno-admission-controller",
"groups":[
"system:serviceaccounts",
"system:serviceaccounts:kyverno",
"system:authenticated"
],
"extra":{
"authentication.kubernetes.io/credential-id":[
"JTI=bacbc95e-f63d-4c48-bdc2-b49a4b9cd73b"
],
"authentication.kubernetes.io/node-name":[
"k8s-node-14"
],
"authentication.kubernetes.io/node-uid":[
"47b8a1bf-8361-4099-95d0-273876c6d722"
],
"authentication.kubernetes.io/pod-name":[
"kyverno-admission-controller-5d4b6b9685-b6kl8"
],
"authentication.kubernetes.io/pod-uid":[
"23f2a75f-6922-4f2e-874a-cb1014829d2a"
]
}
},
"status":{
"allowed":true,
"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""
}
},
"requestReceivedTimestamp":"2025-01-15T13:18:36.031223Z",
"stageTimestamp":"2025-01-15T13:18:36.034461Z",
"annotations":{
"authorization.k8s.io/decision":"allow",
"authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-webhook-yandex-yc:auth-delegator\" of ClusterRole \"system:auth-delegator\" to ServiceAccount \"cert-manager-webhook-yandex-yc/infra-cert-manager\"",
"mutation.webhook.admission.k8s.io/round_0_index_14":"{\"configuration\":\"kyverno-resource-mutating-webhook-cfg\",\"webhook\":\"mutate.kyverno.svc-fail\",\"mutated\":false}"
}
}I don't understand why webhook makes subjectaccessreview review.
Metadata
Metadata
Assignees
Labels
No labels