Reject updates to addons in kube-system #39712

bprashanth opened this Issue Jan 11, 2017 · 1 comment


None yet

2 participants


It is too easy to point this at your foot and pull the trigger. Maybe we can add an admission controller or webhook to reject the update? or perhaps an RBAC webhook to only allow the addon-manager username through?,, #34348

liggitt commented Jan 18, 2017

I don't anticipate a hard coded kube-system authorizer. I think the general solution is to run with authorization on and do day to day tasks in namespaces other than kube-system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment