Exemptions with same matcher twice cause erroneous deletes #314
Comments
mjnagel
added a commit
that referenced
this issue
Jun 5, 2024
## Description Fixes race conditions with exemptions that result in overwrites of previous exemptions in the Pepr store or mutating then allowing pods that were meant to be exempted from mutation. ## Issue Fixes #409 Fixes #314 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Case Wylie <cmwylie19@gmail.com> Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com> Co-authored-by: Rob Ferguson <rjferguson21@gmail.com>
rjferguson21
added a commit
that referenced
this issue
Jul 11, 2024
## Description Fixes race conditions with exemptions that result in overwrites of previous exemptions in the Pepr store or mutating then allowing pods that were meant to be exempted from mutation. ## Issue Fixes #409 Fixes #314 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md)(https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md#submitting-a-pull-request) followed --------- Co-authored-by: Case Wylie <cmwylie19@gmail.com> Co-authored-by: Micah Nagel <micah.nagel@defenseunicorns.com> Co-authored-by: Rob Ferguson <rjferguson21@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here's a minimal reproduction of the issue I'm seeing:
If you apply this manifest the peprstore ends up only having the
DropAllCapabilitiesexemption. This would be true anytime someone uses the same exact matcher in the same CR (i.e. anytime name, namespace, kind, and owner line up), but with multiple separate policy lists. I do think is a quite viable situation that we should support if we can - someone might want to separate out exemptions within the same CR so that they could put specific descriptions on each for example. Happy to help brainstorm how to handle this.Originally posted by @mjnagel in #290 (comment)
The text was updated successfully, but these errors were encountered: