-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces #350
Merged
maxsmythe
merged 19 commits into
open-policy-agent:master
from
maxsmythe:validate-ignore-label
Jan 24, 2020
Merged
Changes from all commits
Commits
Show all changes
19 commits
Select commit
Hold shift + click to select a range
f66fc5a
Add a webhook to reject the gatekeeper-ignore label on non-GK namespaces
maxsmythe ed1f25b
Namespace label webhook should fail hard
maxsmythe 588a4a7
Fix lint errors
maxsmythe 3507bd1
Wait for webhook on e2e tests; add gatekeeper label
maxsmythe 0e628b5
Remove unnecessary return code
maxsmythe 7c2d55b
use --resolve instead of --connect-to for ubuntu compatibility
maxsmythe 005e435
Move cleaning of temp file closer to its creation
maxsmythe c0fb454
Incorporate feedback from community mtg
maxsmythe 2dc6113
Fix manifests, add e2e tests
maxsmythe 2358be9
Add README
maxsmythe 0742330
Add flag to helm chart
maxsmythe 9ec2c94
Regenerate helm chart
maxsmythe a59ca8d
Update README to include `does not exlude audit`
maxsmythe 88a63f6
Add DR instructions to README
maxsmythe 0e2056b
Use staging manifests
maxsmythe 28f83ed
Add webhook customization readme and tweak flag name
maxsmythe 05acc50
Add flag change to manifest
maxsmythe be1c146
Add remaining namespaces -> namespace flag changes
maxsmythe d284217
Update deprecation comment
maxsmythe File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In addition to
gatekeeper-system
, I think we should also addkube-system
to the default exemption list. I know there are users who have thecontrol-plane
label onkube-system
today to ensure resources in that namespace are not impacted by Gatekeeper.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm more concerned about unexpectedly opening a security hole for users who haven't already done so.
Users that have set the control-plane label on kube-system will break anyway once the label becomes deprecated. Because we should not modify people's kube-system namespace by default including kube-system as an excused label will be the worst of both worlds: previous exclusion efforts will still fail and users who didn't want to exclude kube-system will unknowingly be vulnerable to people adding the exclusion label.
This was discussed in the meeting 2.5 weeks ago.