deny by default. #279
deny by default. #279
Conversation
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Codecov Report
@@ Coverage Diff @@
## main #279 +/- ##
=======================================
Coverage 62.41% 62.41%
=======================================
Files 28 28
Lines 2650 2650
=======================================
Hits 1654 1654
Misses 910 910
Partials 86 86 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
| @@ -18,4 +18,4 @@ metadata: | |||
| name: config-policy-controller | |||
| namespace: cosign-system | |||
| data: | |||
| no-match-policy: allow | |||
| no-match-policy: deny | |||
There was a problem hiding this comment.
If this is the default, then I'd recommend that we omit it entirely.
By specifying this, we make it so that folks upgrading using our configs will overwrite any changes they make to these.
There was a problem hiding this comment.
But this configmap hasn't been released yet. I don't see any harm on doing this change to the config file.
There was a problem hiding this comment.
Sorry, my point is a bit of nuance around kubectl apply 3-way merges.
If a user is installing via kubectl apply and we specify a value, which they change, then when they upgrade to vNext the apply will overwrite the value.
If we don't specify a value, and they change it (via kubectl edit), then when they upgrade to vNext the apply will NOT overwrite the value.
This is a silly game of nuance we played with configmap knobs in Knative since we were seeing users edits being reverted on upgrades 😞
There was a problem hiding this comment.
Okay, i understood the intention now.
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
fixed #235
Release Note
Documentation