-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Report missing policy or params in status of ValidatingAdmissionPolicyBindings #117263
Labels
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Comments
k8s-ci-robot
added
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
labels
Apr 13, 2023
/assign @ritazh |
/triage accepted |
k8s-ci-robot
added
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
and removed
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
labels
Apr 13, 2023
hey can you please specify the followings:-
|
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
k8s-ci-robot
added
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
and removed
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
labels
Apr 15, 2024
/triage accepted |
k8s-ci-robot
added
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
and removed
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
labels
Apr 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
If a ValidatingAdmissionPolicyBinding references a non-existent policy in the
spec.policyName
field the binding silently does nothing.xref:
kubernetes/staging/src/k8s.io/api/admissionregistration/v1alpha1/types.go
Line 363 in 5550bd5
We have informally referred to a binding in this state as "mis-configured", but there is no way for a user to know that a binding is in this state short of attempting API requests that should be denied and noticing that they are allowed (which is clearly not a good way to check).
Part of the problem is that without a the
matchConditions
of the policy, the policy binding doesn't even know what API requests it should match.We should report this state into the status of binding resources.
Also, when the policy has a
paramKind
and thespec.paramRef
refers to a non-existent resource, or the wrong type of resource, there is also a problem. The behavior for this case is different-- the policy is configured mis-configured and the failurePolicy is triggered. We should still report status for this case though?A last case: The policy does not have a
paramKind
but the binding has aspec.paramRef
. In this case we ignore theparamRef
(since it is not needed). I don't know if we need to report this to status. It is reasonable to add unusedparamRef
s to bindings in preparation for adding aparamKind
to a policy, so maybe this is OK?The text was updated successfully, but these errors were encountered: