You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Device and OS: macOS
App version: 0.16.0
Kubernetes distro being used: k3d
Steps to reproduce
Deploy a pepr capability that includes something operating on a.Pod during both create and update (validate or mutate). Simple example would just be logging something out.
Run a command similar to this kubectl debug -it -n test test-pod --image busybox and validate that the webhook is not triggered.
Expected result
Pepr should see these modifications.
Actual Result
Pepr misses these calls.
Severity/Priority
For validate calls this is pretty critical as it would allow someone to bypass validation for these injected debug containers.
## Description
Adds support for ephemeral containers in the webhook generation
## Related Issue
Fixes#381
## Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)
## Checklist before merging
- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/pepr/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed
Co-authored-by: Case Wylie <cmwylie19@defenseunicorns.com>
Environment
Device and OS: macOS
App version: 0.16.0
Kubernetes distro being used: k3d
Steps to reproduce
Deploy a pepr capability that includes something operating on
a.Pod
during both create and update (validate or mutate). Simple example would just be logging something out.Run a command similar to this
kubectl debug -it -n test test-pod --image busybox
and validate that the webhook is not triggered.Expected result
Pepr should see these modifications.
Actual Result
Pepr misses these calls.
Severity/Priority
For validate calls this is pretty critical as it would allow someone to bypass validation for these injected debug containers.
Additional Context
I was able to identify this issue thanks to other webhooks like kyverno that made a similar change: https://www.github.com/kyverno/kyverno/issues/2821
The text was updated successfully, but these errors were encountered: