fix: Use correct rules for ephemeralcontainers
#58
Conversation
artifacthub-pkg.yml
Outdated
| @@ -76,6 +76,6 @@ annotations: | |||
| - v1 | |||
| resources: | |||
| - pods | |||
| - pods/ephemeralcontainers | |||
| - ephemeralcontainers | |||
There was a problem hiding this comment.
This is still wrong, because EphemeralContainers are not a Kubernetes resource, but a sub-resource of Pod.
If you run the following command:
kubectl api-resourcesyou will see that ephemeral containers are not part of the output.
Looking into this section of the Dynamic Admission Controller webhooks, it seems that doing pods/ephemeralcontainers is fine.
However, I think that if you have the "parent" resource inside of the rules (like pods), it doesn't make a big difference to have also pods/ephemeralresources.
It would matter for a policy that is interested at evaluating only the contents of ephemeral containers, which is not the case here.
To summarize:
- this policy: I would just remove
ephemeralcontainersfrom there - audit-scanner: when looking into policies that have subresources as targets, things get complicated... because we have to generate a different request. See the 1st example here: the
scalesub-resource of aDeploymenthas been changed, the policy is going not going to receive the whole Deployment inside ofadmissionreview.request.object, but theScaleobject. This is something worth to be tracked with a dedicated issue onaudit-controller
There was a problem hiding this comment.
Well spotted. I have amended the PR to drop ephemeralcontainers.
On the audit-scanner side, I'm not sure it's a bug or a missing feature; if a policy declares a rules for a subresource, it must be able to validate a request that only contains that subresource.
For this specific policy we must ensure we don't set the subresource then.
There was a problem hiding this comment.
Yeah, I think for audit-scanner we have to handle the case of a policy that is targeting only a sub-resource. I don't think this is something common, we could just track it and work on that when someone complains about that
There was a problem hiding this comment.
In my opinion the audit-scanner should we working seamlessly already; I don't think it sees a difference between a resource or a subresource. Hence why the policy was already being triggered by the audit-scanner.
Nevertheless, I opened kubewarden/audit-scanner#322 for bookeeping.
pods/ephemeralcontainers is a subresource of pods, including pods is enough. Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Signed-off-by: Víctor Cuadrado Juan <[email protected]>
|
tagged in main as 0.1.10. |
Description
Relates to #57
Set correct rules for
ephemeralcontainers.Prepare for release.
Test
CI
Additional Information
Tradeoff
Potential improvement