Commits on May 6, 2024

1. OCPBUGS-33041: Add RoleBinding for BuildConfig Webhooks …

   Starting in OCP 4.16, the `system:webhook` ClusterRole will not be
   granted to anonymous users by default. This will break most systems
   that use BuildConfig webhooks to trigger builds, since many can't be
   add an OpenShift auth token to their HTTP headers (ex: GitHub). Only
   new installations will be impacted; upgrades to 4.16 will continue to
   support unauthenticated BuildConfig webhooks.
   
   This test update verifies that BuildConfig webhooks can be triggered
   using a namespace-scoped RoleBinding for the `system:unauthenticated`
   group. RoleBindings are preferable to ClusterRoleBindings as they limit
   unauthenticated API calls to specific namespaces, reducing the
   potential attack surface. The core webhook tests were also updated to
   verify that unauthenticated webhooks fail if this rolebinding is
   missing.
   
   Use of BuildConfig webhooks should be discouraged in favor of Pipelines
   as Code, which has more robust mechanisms for securing webhook calls
   from external systems. It also does not rely on an aggregated apiserver
   and associated RBAC.
   
   See also https://issues.redhat.com/browse/AUTH-509
   
   Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>

   

   adambkaplan committed May 6, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 43b42d4
   • Browse repository at this point

   Copy the full SHA

   43b42d4 View commit details

   Browse the repository at this point in the history