-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify only pods #1388
Comments
/assign |
@hectorj2f - could you please assign it to me, started to work on code that supporting that. |
@senanz We are also facing the same issue and are searching for solutions. Seems like you are working on solving this problem, but do you have plans to create a PR? |
@hectorj2f - I have already have the change, need to do some modification and let's discuss that then. |
@0xiso - I have the PR need some updates and will raise it again. |
@hectorj2f - Could you please review? |
Description
Make policy-controller configurable to only consider pods, not higher level resources.
Use case
We are using a continuous reconciliation (GitOps) solution, Flux, to maintain cluster state. The mutation of the image reference by the mutating admission webhook has undesired effects for us when used in conjunction with Flux:
Workarounds
While the scope of resources to validate can be controlled on the Policy level, this is not sufficient for our use, as mutations still get applied to all recognized resources and this seems to be hard coded. The only workaround I found was to fork the code and remove these.
Related work
Correct me if I am wrong, but I believe this change would not deteriorate the integrity of the cluster, since the pods owned by these unvalidated resources would still go through admission control, and their images will be verified. As an example of this practice, PSA (Pod Security Admission) only operates on the pod resource. Recently, Connaisseur also added a flag to opt out of higher level resource validation.
The text was updated successfully, but these errors were encountered: