Reject updates to addons in kube-system #39712

Open
bprashanth opened this Issue Jan 11, 2017 · 1 comment

Projects

None yet

2 participants

@bprashanth
Contributor

It is too easy to point this at your foot and pull the trigger. Maybe we can add an admission controller or webhook to reject the update? or perhaps an RBAC webhook to only allow the addon-manager username through?

http://kubernetes.io/docs/admin/admission-controllers/#how-do-i-turn-on-an-admission-control-plug-in, http://kubernetes.io/docs/admin/authorization/, #34348

@liggitt
Member
liggitt commented Jan 18, 2017

I don't anticipate a hard coded kube-system authorizer. I think the general solution is to run with authorization on and do day to day tasks in namespaces other than kube-system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment