-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admission-gcp: Add SecretBinding validator #428
Merged
kon-angelo
merged 1 commit into
gardener:master
from
ialidzhikov:enh/secretbinding-webhook
May 17, 2022
Merged
admission-gcp: Add SecretBinding validator #428
kon-angelo
merged 1 commit into
gardener:master
from
ialidzhikov:enh/secretbinding-webhook
May 17, 2022
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-robot
added
area/cost
Cost related
area/robustness
Robustness, reliability, resilience related
kind/enhancement
Enhancement, improvement, extension
platform/gcp
Google cloud platform/infrastructure
needs/review
Needs review
size/m
Size of pull request is medium (see gardener-robot robot/bots/size.py)
labels
Apr 18, 2022
gardener-robot-ci-1
added
the
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
label
Apr 18, 2022
gardener-robot-ci-3
added
needs/ok-to-test
Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
and removed
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
labels
Apr 18, 2022
ialidzhikov
force-pushed
the
enh/secretbinding-webhook
branch
from
April 19, 2022 12:02
9517b8a
to
5058dc4
Compare
gardener-robot-ci-3
added
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
and removed
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
labels
Apr 19, 2022
@ialidzhikov You need rebase this pull request with latest master branch. Please check. |
rfranzke
previously approved these changes
May 4, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR!
/lgtm
/rebase |
gardener-robot
added
reviewed/lgtm
Has approval for merging
needs/rebase
Needs git rebase
needs/lgtm
Needs approval for merging
and removed
needs/rebase
Needs git rebase
needs/review
Needs review
reviewed/lgtm
Has approval for merging
needs/lgtm
Needs approval for merging
labels
May 4, 2022
Signed-off-by: ialidzhikov <i.alidjikov@gmail.com>
ialidzhikov
force-pushed
the
enh/secretbinding-webhook
branch
from
May 9, 2022 08:02
5058dc4
to
5c40723
Compare
gardener-robot
added
needs/review
Needs review
and removed
needs/review
Needs review
labels
May 9, 2022
gardener-robot-ci-1
added
the
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
label
May 9, 2022
gardener-robot-ci-3
removed
the
reviewed/ok-to-test
Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
label
May 9, 2022
kon-angelo
approved these changes
May 17, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
gardener-robot
added
the
status/closed
Issue is closed (either delivered or triaged)
label
May 17, 2022
This was referenced May 26, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/cost
Cost related
area/robustness
Robustness, reliability, resilience related
kind/enhancement
Enhancement, improvement, extension
needs/ok-to-test
Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD)
platform/gcp
Google cloud platform/infrastructure
reviewed/lgtm
Has approval for merging
size/m
Size of pull request is medium (see gardener-robot robot/bots/size.py)
status/closed
Issue is closed (either delivered or triaged)
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
/area robustness
/area cost
/kind enhancement
/platform gcp
With the introduction of the
provider.type
field for SecretBindings, there is the following gap. One can create a SecretBinding withprovider.type=gcp
for example and reference a non-gcp Secret. Then GCM will add theprovider.shoot.gardener.cloud/gcp=true
label to the corresponding non-gcp Secret and admission-gcp will start validating UPDATE requests for this Secret. Hence, admission-gcp will reject any UPDATE requests to the Secret with the reason that it is not a valid gcp secret.To prevent such misconfiguration, admission-gcp now introduces a SecretBinding validator that validates the Secret on SecretBinding creation (previously the Secret was validated on Shoot creation). In this was the admission-gcp component also improves by dropping the cache for SecretBindings - this improvement was also mentioned in #396 (comment).
Part of #143
Special notes for your reviewer:
gardener/gardener@v1.44.0
to be vendored (in details it needs Implement the core.Object interface for SecretBinding types gardener#5665). Hence, I will rebase aftergardener/gardener@v1.44.0
is vendored.Release note: