Force the calling of ValidatingWebhookConfiguration for all Istio-objects #50663
Comments
|
If you set a default revision when installing, all resources that don't have a revision label will be validated by the istiod that has that default revision |
|
Thanks, I'll go ahead and explore that path! |
|
I have now done some more digging around this and while tagging a revision as This means that a tenant can set a label on the VirtualService to "whatevervalue", and that will then bypass the validation as long as they set this to a value not matching any revision. |
|
The control plane for the default revision will also ignore resources with a revision label different than its own. |
In that case I assume it makes sense to keep this issue open then if someone wants to make config validation enforceable. |
Describe the feature request
Currently the ValidatingWebhookConfiguration only matches objects with the
istio.io/revlabel set (to the current running revision).This means that if someone creates an object (our use case is that our tenants can create VirtualServices in their own namespaces) they can bypass the validating webhook simply by not setting that label on their VirtualService.
My proposal is to add another configuration-value allowing us to disable that objectSelector, effectively sending all istio-related objects to the webhook for validation.
Describe alternatives you've considered
I suppose this will get baked in when #46151 is completed, but it doesn't seem to be near completion right now. (currently blocked by CEL cost-limits)
Affected product area (please put an X in all that apply)
[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[x] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: