-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces #350
Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces #350
Conversation
9282309
to
be7ac75
Compare
28627bb
to
8570946
Compare
5b8f639
to
877857e
Compare
877857e
to
e15f62d
Compare
@ritazh LGTY? |
fad4d79
to
09729e1
Compare
@ritazh I think this should be unblocked now. |
09729e1
to
31d5b3b
Compare
8d69359
to
90d2548
Compare
manifest_staging/chart/gatekeeper-operator/helm-modifications/helm-modifications.yaml
Outdated
Show resolved
Hide resolved
manifest_staging/chart/gatekeeper-operator/templates/gatekeeper.yaml
Outdated
Show resolved
Hide resolved
@@ -30,6 +31,7 @@ spec: | |||
- "--audit-interval=30" | |||
- "--port=8443" | |||
- "--logtostderr" | |||
- "--exempt-namespace=gatekeeper-system" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to gatekeeper-system
, I think we should also add kube-system
to the default exemption list. I know there are users who have the control-plane
label on kube-system
today to ensure resources in that namespace are not impacted by Gatekeeper.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm more concerned about unexpectedly opening a security hole for users who haven't already done so.
Users that have set the control-plane label on kube-system will break anyway once the label becomes deprecated. Because we should not modify people's kube-system namespace by default including kube-system as an excused label will be the worst of both worlds: previous exclusion efforts will still fail and users who didn't want to exclude kube-system will unknowingly be vulnerable to people adding the exclusion label.
This was discussed in the meeting 2.5 weeks ago.
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
5cf83ba
to
d284217
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fixes #231
We need to add a deprecation notice to the release notes for using the
control-plane
label as a way to ignore namespaces. We should also should file a bug to remove the labelselector when this is submitted.I've set the deprecation to a month from now in the comments on the YAML.
UPDATE: the
control-plane
label will continue to be part of deploy/gatekeeper.yaml until we have a better solution.Signed-off-by: Max Smythe smythe@google.com