-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roll back problematic pod labeling feature #1088
Conversation
300b5b8
to
ea9e50a
Compare
Codecov Report
@@ Coverage Diff @@
## main #1088 +/- ##
==========================================
+ Coverage 50.13% 50.65% +0.51%
==========================================
Files 42 42
Lines 4789 4740 -49
==========================================
Hits 2401 2401
+ Misses 2309 2262 -47
+ Partials 79 77 -2 |
ea9e50a
to
43d6357
Compare
Some time ago I introduced a feature for the SPO to label denials for pods. While this seemed like a good idea at the time, it introduces too much privileges for te SPOd (update and patch all pods). While there hasn't been any security incidents reported for the SPOd, the drawbacks of giving such privileges are more critical than the features the labeling would have enabled. So, let's get rid of this feature and revisit the problem another time. Signed-off-by: Juan Antonio Osorio <juan.osoriorobles@eu.equinix.com>
43d6357
to
3f9e128
Compare
/test pull-security-profiles-operator-test-e2e |
/retest |
So I'm fine removing this functionality (AFAIK nothing and nobody uses it now), but I'd like to discuss alternatives, because I think it's something users will ask for. The use-case I care about the most is:
|
@jhrozek I was actually thinking about doing events instead. But struggled to introduce them without adding a lot of extra complexity to the code-base. We might need to do some refactoring. |
Let's file an issue, then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JAORMX, jhrozek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
What type of PR is this?
/kind cleanup
/kind feature
What this PR does / why we need it:
Some time ago I introduced a feature for the SPO to label denials for
pods. While this seemed like a good idea at the time, it introduces too
much privileges for te SPOd (update and patch all pods).
While there hasn't been any security incidents reported for the SPOd,
the drawbacks of giving such privileges are more critical than the
features the labeling would have enabled. So, let's get rid of this
feature and revisit the problem another time.
This fully removes the flag as there is no documented usage of the feature.
Which issue(s) this PR fixes:
None
Does this PR have test?
The test was removed.
Special notes for your reviewer:
Does this PR introduce a user-facing change?