Vouch request: willschipp #1962
Replies: 1 comment 1 reply
-
|
This is something that could be implemented with #1927. The use case of enterprise policy management was the motivation for intercepting gateway APIs. Also see #1936 for an in-flight example. |
Beta Was this translation helpful? Give feedback.
-
|
yes both of them look very similar to what is envisioned. I think where they could work together is the use of a flag on sandbox instantiation "labelling" the sandbox as immutable from a policy perspective versus the interceptor pattern. the flag gets persisted into the sandbox instantiation itself, so that when "update" is called on policy, the flag presence is checked and, if set, fails the update |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
What do you want to work on?
I want to raise an issue and add a feature that supports immutability of policies on a sandbox once it's running. The end goal is to support immutable containers built through a pipeline with an embedded policy.yaml that cannot be changed or overridden once the container starts.
Why this change?
I'm wanting to add optional "fixing" of policies for enterprise consumption. So that optionally, when a sandbox is created, the policy, when passed in during create, can have an extra flag of "--immutable" or something similar, meaning that the sandbox polices can't change.
This needs to be optional and the default being current behavior, but the option can be there if openshell + policy is baked into an image, it can't be changed once the container is running
Checklist
Beta Was this translation helpful? Give feedback.
All reactions