Skip to content

Commit

Permalink
Merge pull request #8523 from zalando-incubator/enable-auth-webhook
Browse files Browse the repository at this point in the history
[EKS] Enable the write-protection via admission-controller
  • Loading branch information
demonCoder95 authored Nov 15, 2024
2 parents 10d28b8 + e0fd9fe commit 41304ca
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 4 deletions.
4 changes: 2 additions & 2 deletions cluster/config-defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -678,9 +678,9 @@ teapot_admission_controller_configmap_deletion_protection_factories_enabled: "tr
teapot_admission_controller_enable_rolebinding_webhook: "true"

# enable the generic admission-controller webhook which catches all resources
teapot_admission_controller_enable_generic_webhook: "false"
teapot_admission_controller_enable_generic_webhook: "true"
# prevent write operations for non-admin users in protected namespaces
teapot_admission_controller_prevent_write_operations: "false"
teapot_admission_controller_prevent_write_operations: "true"

# Enable and configure Pod Security Policy rules implemented in admission-controller.
teapot_admission_controller_pod_security_policy_enabled: "true"
Expand Down
2 changes: 1 addition & 1 deletion cluster/manifests/02-admission-control/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ spec:
priorityClassName: system-cluster-critical
containers:
- name: admission-controller
image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-224
image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-225
lifecycle:
preStop:
exec:
Expand Down
3 changes: 2 additions & 1 deletion cluster/manifests/02-admission-control/teapot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,8 @@ webhooks:
{{- end }}
caBundle: "{{ .Cluster.ConfigItems.ca_cert_decompressed }}"
admissionReviewVersions: ["v1beta1"]
failurePolicy: Fail
# TODO: Switch back to Fail once we have solved the chicken and egg problem
failurePolicy: Ignore # Fail
sideEffects: "NoneOnDryRun"
matchPolicy: Equivalent
namespaceSelector:
Expand Down

0 comments on commit 41304ca

Please sign in to comment.