Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: validatingwebhook endpoint for pod/exec calls #25

Closed
diranged opened this issue Nov 24, 2022 · 2 comments
Closed

feature: validatingwebhook endpoint for pod/exec calls #25

diranged opened this issue Nov 24, 2022 · 2 comments

Comments

@diranged
Copy link
Owner

It isn’t possible today to dynamically use the Kubernetes Audit Logs to monitor for exec events - managed platforms like AKS/EKS configure this for you, and typically send the logging to their own backends.

However, it should be possible to create ValidatingWebhookConfigurations that respond to exec and debug events. Initially we can take the webhook calls, and emit events onto the pods that they target .. providing an auditing service.

In the future, we should be able to use this to implement a second layer of security beyond the allowedGroups setting.
@diranged diranged changed the title feature: validatingwebhook endpoint feature: validatingwebhook endpoint for pod/exec calls Nov 24, 2022
@diranged
Copy link
Owner Author

diranged commented Dec 2, 2022

Hoping open-policy-agent/gatekeeper#1056 provides a bit of a clue on how to do this...

@diranged
Copy link
Owner Author

Closed by #52

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@diranged