-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider all labels by default when deriving security identity #849
Conversation
if podName := k8sDockerLbls.GetPodName(allLabels); podName != "" { | ||
k8sNormalLabels, err := d.fetchK8sLabels(allLabels) | ||
if err != nil { | ||
log.Warningf("Error while getting kubernetes labels: %s", err) | ||
} else if k8sNormalLabels != nil { | ||
k8sLbls = labels.Map2Labels(k8sNormalLabels, k8s.LabelSource) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still need to store the io.kubernetes.pod.namespace
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
pkg/labels/filter.go
Outdated
Prefix: k8s.PodNamespaceLabel, | ||
Source: k8s.LabelSource, | ||
Ignore: true, | ||
Prefix: "io.kubernetes", | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also ignore k8s.io/kubernetes/pkg/apis/extensions/DefaultDeploymentUniqueLabelKey
or "pod-template-hash"
- Move into pkg/labels/ - No need to take lock Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Thomas Graf <thomas@cilium.io>
Instead of whitelisting individual label prefixes by default, consider all labels except "io.kubernetes*" to avoid including pod-name hash, timestamps, grace periods, etc. Signed-off-by: Thomas Graf <thomas@cilium.io>
8d3995d
to
a15ada7
Compare
For future reference:
|
No description provided.