-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ephemeralcontainer to imagepolicy securityaccount admission plugin #118356
Conversation
/assign @enj |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added few comments!
for _, c := range pod.Spec.EphemeralContainers { | ||
imageReviewContainerSpecs = append(imageReviewContainerSpecs, v1alpha1.ImageReviewContainerSpec{ | ||
Image: c.Image, | ||
}) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the subresource is ephemeralcontainers
, don't we still need the other containers and init containers in addition to the ephermeral containers? Or is it intended to only check the ephemeral containers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a request to subresource=="" can only set initContainer and container images
a request to subresource=="ephemeralcontainers" can only set ephemeralContainer images
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
/lgtm |
LGTM label has been added. Git tree hash: a4c24036065e65a8d19ce5fda712a5f0c1e2ba49
|
/assign @deads2k |
@@ -99,7 +99,7 @@ var _ = genericadmissioninitializer.WantsExternalKubeInformerFactory(&Plugin{}) | |||
// 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers | |||
func NewServiceAccount() *Plugin { | |||
return &Plugin{ | |||
Handler: admission.NewHandler(admission.Create), | |||
Handler: admission.NewHandler(admission.Create, admission.Update), | |||
// TODO: enable this once we've swept secret usage to account for adding secret references to service accounts | |||
LimitSecretReferences: false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
blast from the past
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj, ritazh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@ritazh don't we need to back port this to 1.24 release branch as well? |
Looks like we can still cherry pick to 1.24. PR ^ |
…56-upstream-release-1.27 Automated cherry pick of #118356: Add ephemeralcontainer to imagepolicy securityaccount
…56-upstream-release-1.26 Automated cherry pick of #118356: Add ephemeralcontainer to imagepolicy securityaccount
…56-upstream-release-1.25 Automated cherry pick of #118356: Add ephemeralcontainer to imagepolicy securityaccount
Thanks.. Even Beta is a contract and 1.24 is still open . Considering that , I was asking, thanks for filing the PR @ritazh 👍 |
…56-upstream-release-1.24 Automated cherry pick of #118356: Add ephemeralcontainer to imagepolicy securityaccount
What type of PR is this?
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes imagepolicy securityaccount admission plugins to handle ephemeral container.
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/sig auth