-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DenyPSALabel admission plugin #10950
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #10950 +/- ##
==========================================
- Coverage 49.64% 40.11% -9.54%
==========================================
Files 178 162 -16
Lines 14801 14354 -447
==========================================
- Hits 7348 5758 -1590
- Misses 6105 7405 +1300
+ Partials 1348 1191 -157
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before this is merged, @galal-hussein can you fill out this PR more? There isn't any linked issues and there is no testing for a new feature. You should be able to add a new testlet to the startup integration test https://github.com/k3s-io/k3s/blob/master/tests/integration/startup/startup_int_test.go
@dereknola sure will fix that |
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
81261af
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
It("change label of namespace", func() { | ||
res, err := testutil.K3sCmd("kubectl label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=baseline") | ||
Expect(err).To(HaveOccurred()) | ||
Expect(res).To(ContainSubstring("denying use of PSA label on namespace")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this test will fail as-is, since this is not the string that is output any longer.
Expect(res).To(ContainSubstring("denying use of PSA label on namespace")) | |
Expect(res).To(ContainSubstring("Use of label with pod-security.kubernetes.io/ prefix on Namespace is denied by admission control")) |
Proposed Changes
The PR adds a new admission plugin to the apiserver, this has become available by the recent patch k3s-io/kubernetes@94d3e60 which allows the users to register a new plugin dynamically when starting the API server.
The plugin "DenyPSALabel" will deny the overriding of the default PSA security configuration passed to the API server, by default this plugin will not start nor any behavior will be different unless the user passes the following arguments to k3s:
k3s server --deny-psa-label --kube-apiserver-arg="enable-admission-plugin=DenyPSALabel"
The first flag will register the plugin to the apiserver and the second flag will enable it in the runtime
Types of Changes
Testing
should result in an error.
Linked Issues
User-Facing Change
Further Comments