By default, firewall rules restrict the cluster master communication to nodes only on ports 443 (HTTPS) and 10250 (kubelet). Although Gatekeeper exposes its service on port 443, GKE by default enables
--enable-aggregator-routing option, which makes the master to bypass the service and communicate straight to the POD on port 8443.
Two ways of working around this:
create a new firewall rule from master to private nodes to open port
8443(or any other custom port)
make the pod to run on privileged port 443 (need to run pod as root)
update Gatekeeper deployment manifest spec:
securityContextsettings that force the pods not to run as root
- update port from
containers:- args: - --port=443 ports: - containerPort: 443 name: webhook-server protocol: TCP
update Gatekeeper service manifest spec:
ports:- port: 443 targetPort: 443
When running on OpenShift, the
nouid scc must be used to keep a restricted profile but being able to set the UserID.
In order to use it, the following section must be added to the gatekeeper-manager-role Role:
- apiGroups: - security.openshift.io resourceNames: - anyuid resources: - securitycontextconstraints verbs: - use
With this restricted profile, it won't be possible to set the
container.seccomp.security.alpha.kubernetes.io/manager: runtime/default annotation. On the other hand, given the limited amount of privileges provided by the anyuid scc, the annotation can be removed.