Skip to content

Set ClusterRole for roleRef in unauth webook example #95980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set ClusterRole for roleRef in unauth webook example #95980

wants to merge 1 commit into from
+1 −1

Conversation

dustymabe
Copy link
Member

Otherwise my webhooks don't work and I get failure replies to my sent webhooks with messages like:

RBAC: role.rbac.authorization.k8s.io \"system:webhook\" not found.

@dustymabe
Set ClusterRole for roleRef in unauth webook example
4d13f6f 
Otherwise my webhooks don't work and I get failure replies to my
sent webhooks with messages like:

```
RBAC: role.rbac.authorization.k8s.io \"system:webhook\" not found.
```
@openshift-ci openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 10, 2025
@dustymabe
Copy link
Member Author

cc @adambkaplan

@ocpdocs-previewbot
Copy link

🤖 Thu Jul 10 21:50:12 - Prow CI generated the docs preview:

https://95980--ocpdocs-pr.netlify.app/openshift-dedicated/latest/cicd/builds/triggering-builds-build-hooks.html
https://95980--ocpdocs-pr.netlify.app/openshift-enterprise/latest/cicd/builds/triggering-builds-build-hooks.html
https://95980--ocpdocs-pr.netlify.app/openshift-rosa-hcp/latest/cicd/builds/triggering-builds-build-hooks.html
https://95980--ocpdocs-pr.netlify.app/openshift-rosa/latest/cicd/builds/triggering-builds-build-hooks.html

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 10, 2025

@dustymabe: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@adambkaplan
Copy link
Contributor

/hold

We were deliberate in using Role instead of ClusterRole in the docs here.

OpenShift's mechanism for triggering builds generically via webhooks is dated and doesn't incorporate OWASP best practices - particularly protections around access control, as evidenced by the current docs. Granting the system:webhook role to the system:unauthenticated group globally means that anyone can trigger a resource-intensive operation (a build) on a cluster in any namespace if they are able to obtain the right information. Documenting RoleBinding here is meant to prompt cluster admins to take stock of where they are running builds, and only expose the webhook endpoint to namespaces that need it.

Current users of BuildConfig webhooks should strongly consider moving off this to OpenShift Pipelines and Pipelines as Code. This has stronger webhook protections built in and also enables additional features related to software supply chain, such as Tekton Chains.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2025
@dustymabe
Copy link
Member Author

Documenting RoleBinding here is meant to prompt cluster admins to take stock of where they are running builds, and only expose the webhook endpoint to namespaces that need it.

I thought the fact that this example includes namespace: <namespace> in the rolebinding implied that it was only taking effect on that specific namespace and wasn't clusterwide. Is that not the case?

@adambkaplan
Copy link
Contributor

I thought the fact that this example includes namespace: in the rolebinding implied that it was only taking effect on that specific namespace and wasn't clusterwide. Is that not the case?

Shame on me then - I misread it (and this is why k8s RBAC is hard).

system:webhook is indeed a cluster-scoped role, and system:unauthenticated is a global user group, but RoleBinding applies the RBAC permission only to the namespace in question.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jul 14, 2025
@adambkaplan
Copy link
Contributor

/hold cancel

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 14, 2025
@jldohmann
Copy link
Contributor

system:webhook is indeed a cluster-scoped role, and system:unauthenticated is a global user group, but RoleBinding applies the RBAC permission only to the namespace in question.

@adambkaplan sounds like this might be good to add as a note somewhere. either as a callout or an admonition below the code block. wdyt?

@jldohmann jldohmann added this to the Continuous Release milestone Jul 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@adambkaplan adambkaplan

Labels
branch/enterprise-4.16 branch/enterprise-4.17 branch/enterprise-4.18 branch/enterprise-4.19 branch/enterprise-4.20 lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
Continuous Release
Development

Successfully merging this pull request may close these issues.
4 participants
@dustymabe @ocpdocs-previewbot @adambkaplan @jldohmann