-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admission: run PodSecurity before PodSecurityPolicy #104715
Conversation
This change fixes the order in which the PodSecurity and PodSecurityPolicy admission plugins are run. The old code intended for PSA to run before PSP, but attempted to enforce that via registration order (which is irrelevant). Now PSA is correctly executed before PSP to allow for audit and warning modes to be exercised even in the presence of a deny PSP policy. Signed-off-by: Monis Khan <mok@vmware.com>
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
This change fixes the order in which the PodSecurity and
PodSecurityPolicy admission plugins are run. The old code intended
for PSA to run before PSP, but attempted to enforce that via
registration order (which is irrelevant). Now PSA is correctly
executed before PSP to allow for audit and warning modes to be
exercised even in the presence of a deny PSP policy.
Signed-off-by: Monis Khan mok@vmware.com
/kind bug
/sig auth
/assign @liggitt @tallclair
/milestone v1.23
/priority important-soon
/triage accepted