Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces #350
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
9282309
to
be7ac75
Compare
ritazh
reviewed
Dec 20, 2019
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
28627bb
to
8570946
Compare
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
5b8f639
to
877857e
Compare
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
877857e
to
e15f62d
Compare
|
@ritazh LGTY? |
ritazh
reviewed
Jan 15, 2020
ritazh
reviewed
Jan 15, 2020
ritazh
reviewed
Jan 15, 2020
ritazh
reviewed
Jan 15, 2020
maxsmythe
force-pushed
the
validate-ignore-label
branch
2 times, most recently
from
fad4d79
to
09729e1
Compare
|
@ritazh I think this should be unblocked now. |
sozercan
reviewed
Jan 22, 2020
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
09729e1
to
31d5b3b
Compare
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
8d69359
to
90d2548
Compare
ritazh
reviewed
Jan 23, 2020
ritazh
reviewed
Jan 23, 2020
manifest_staging/chart/gatekeeper-operator/helm-modifications/helm-modifications.yaml
Outdated
Show resolved
Hide resolved
ritazh
reviewed
Jan 23, 2020
manifest_staging/chart/gatekeeper-operator/templates/gatekeeper.yaml
Outdated
Show resolved
Hide resolved
ritazh
reviewed
Jan 23, 2020
ritazh
reviewed
Jan 23, 2020
| @@ -30,6 +31,7 @@ spec: | |||
| - "--audit-interval=30" | |||
| - "--port=8443" | |||
| - "--logtostderr" | |||
| - "--exempt-namespace=gatekeeper-system" | |||
There was a problem hiding this comment.
In addition to gatekeeper-system, I think we should also add kube-system to the default exemption list. I know there are users who have the control-plane label on kube-system today to ensure resources in that namespace are not impacted by Gatekeeper.
There was a problem hiding this comment.
I'm more concerned about unexpectedly opening a security hole for users who haven't already done so.
Users that have set the control-plane label on kube-system will break anyway once the label becomes deprecated. Because we should not modify people's kube-system namespace by default including kube-system as an excused label will be the worst of both worlds: previous exclusion efforts will still fail and users who didn't want to exclude kube-system will unknowingly be vulnerable to people adding the exclusion label.
This was discussed in the meeting 2.5 weeks ago.
sozercan
reviewed
Jan 23, 2020
ritazh
reviewed
Jan 24, 2020
Fixes open-policy-agent#231 Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
force-pushed
the
validate-ignore-label
branch
from
5cf83ba
to
d284217
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #231
We need to add a deprecation notice to the release notes for using the
control-planelabel as a way to ignore namespaces. We should also should file a bug to remove the labelselector when this is submitted.I've set the deprecation to a month from now in the comments on the YAML.
UPDATE: the
control-planelabel will continue to be part of deploy/gatekeeper.yaml until we have a better solution.Signed-off-by: Max Smythe smythe@google.com