Comments (10)
chewong
commented on July 2, 2024
2
I can take a look at this issue if no one is working on it 😄
from gatekeeper-library.
kfox1111
commented on July 2, 2024
1
no, sorry. completely fell off my radar.
https://open-policy-agent.github.io/gatekeeper/website/docs/sync/ might be useful for helping solve it.
from gatekeeper-library.
crowean
commented on July 2, 2024
1
I can take a look at this issue if no one is working on it smile
If you have time, Could you take a look this link?
open-policy-agent/community#69
from gatekeeper-library.
s-spindler
commented on July 2, 2024
I'd be very interested in this as well. @kfox1111 have you found a workaround?
from gatekeeper-library.
kfox1111
commented on July 2, 2024
not yet.
from gatekeeper-library.
crowean
commented on July 2, 2024
If you have any updates, could you please share @kfox1111 ?
from gatekeeper-library.
kfox1111
commented on July 2, 2024
I'd add one other recommendation. I've seen the elasticsearch operator adjust pdb to be equal to statefulset.replica's in times when the elasticsearch cluster is not green. This is a desirable feature I think. So the check should probably ignore enforcement on things that have ownerReference's
from gatekeeper-library.
maxsmythe
commented on July 2, 2024
As in, if a deployment has an owner reference, ignore the check?
Is there any risk of a user using this exception maliciously, such as by setting a false owner reference? It could reference a real K8s object, but the object could just not be managing the resource-under-test.
from gatekeeper-library.
kfox1111
commented on July 2, 2024
Yeah. I don't think there's a way to deal with malicious in this context. There's probably quite a few ways besides just owner references to still make pdb's that block rolling upgrades. I think this check is probably useful just to try and prevent accidental configurations that block rolling upgrades.
from gatekeeper-library.
maxsmythe
commented on July 2, 2024
If we want to selectively disable it for certain services, would using match criteria be a better fit for that? It would leave more flexibility for configuration on the user's end.
from gatekeeper-library.
Related Issues (20)
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 6
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- Should apparmor always view unconfined as complaint? HOT 4
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 9
- Add colon in message for consistency
- Example of pod mutation adding init-container HOT 4
- Example k8scontainerlimits does not throw error for a deployment but does on a plain Pod creation HOT 2
- poddisruptionbudget policy query HOT 2
- K8sRequiredResources ConstraintTemplate doesn't work properly HOT 1
- `variables.anyObject` should be used for required labels CEL
- Add CEL code for PSP Policies in library
- Improve Rego testing for library
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.