You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the feature request
Currently the ValidatingWebhookConfiguration only matches objects with the istio.io/rev label set (to the current running revision).
This means that if someone creates an object (our use case is that our tenants can create VirtualServices in their own namespaces) they can bypass the validating webhook simply by not setting that label on their VirtualService.
objectSelector:
matchExpressions:
- key: istio.io/rev
operator: In
values:
- 1-19-4
My proposal is to add another configuration-value allowing us to disable that objectSelector, effectively sending all istio-related objects to the webhook for validation.
Describe alternatives you've considered
I suppose this will get baked in when #46151 is completed, but it doesn't seem to be near completion right now. (currently blocked by CEL cost-limits)
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[x] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered:
If you set a default revision when installing, all resources that don't have a revision label will be validated by the istiod that has that default revision
I have now done some more digging around this and while tagging a revision as default will generate a new validatingwebhook, this new webhook has an objectSelector like this:
This means that a tenant can set a label on the VirtualService to "whatevervalue", and that will then bypass the validation as long as they set this to a value not matching any revision.
Describe the feature request
Currently the ValidatingWebhookConfiguration only matches objects with the
istio.io/rev
label set (to the current running revision).This means that if someone creates an object (our use case is that our tenants can create VirtualServices in their own namespaces) they can bypass the validating webhook simply by not setting that label on their VirtualService.
My proposal is to add another configuration-value allowing us to disable that objectSelector, effectively sending all istio-related objects to the webhook for validation.
Describe alternatives you've considered
I suppose this will get baked in when #46151 is completed, but it doesn't seem to be near completion right now. (currently blocked by CEL cost-limits)
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[x] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: