PSP admission #24600
PSP admission #24600
Conversation
|
Nice even number. Auspicious! |
k8s-github-robot
added
needs-rebase
|
fyi @ericchiang |
|
I'd like to have it be possible to inject new strategies via interface so On Thu, Apr 21, 2016 at 5:47 PM, Eric Tune [email protected] wrote:
|
I'm not following this one yet. Why would we inject the strategies that a PSP uses when it's configured on the PSP object? Or is that not what you're referring to? |
|
Inject into the admission controller custom strategies for the
constants on each field - ie RunAsRange should be implemented as an
interface so Openshift can have the namespace handler without core
Kube code changing. Also, I want to experiment with future constants
/ expressions without having to refactor all of PSP. The PSP
admission controller should be a skeleton that enforcement policies
are injected into.
|
Ok, getting clearer. The field strategies are implementing a field based interface because the return values are field dependent. I think we can abstract it a bit more though. I'll give it a go. |
|
I feel like the interface selection should be opaque - ask a list of On Apr 22, 2016, at 8:49 AM, Paul Weil [email protected] wrote: ie RunAsRange should be implemented as an Ok, getting clearer. The field strategies are implementing a field based — |
|
@smarterclayton - last commit abstracts out the creation of strategies that the provider uses by passing in a strategy factory. This can be used downstream to create strategies based on namespace settings. PTAL and let me know what you think. |
|
API changes in 6f320 look good, but do you know why there are all the generated code changes around versioned.Watch? Doesn't seem like your non-generated code changes would cause that? |
|
aa42e7 looks good. |
| supplementalGroupsField = "supplementalGroups" | ||
| ) | ||
|
|
||
| // simpleProvider is the default implementation of SecurityContextConstraintsProvider |
There was a problem hiding this comment.
I think this is just called Provider now?
looks suspicious. I'll investigate |
| // ensure we implement the interface correctly. | ||
| var _ Provider = &simpleProvider{} | ||
|
|
||
| // NewSimpleProvider creates a new SecurityContextConstraintsProvider instance. |
There was a problem hiding this comment.
This is just called "Provider" now not "SecurityContextConstraintsProvider".
| // 2. Create the providers, includes setting pre-allocated values if necessary. | ||
| // 3. Try to generate and validate a PSP with providers. If we find one then admit the pod | ||
| // with the validated PSP. If we don't find any reject the pod and give all errors from the | ||
| // failed attempts. |
There was a problem hiding this comment.
How do we bootstrap a cluster if there are no PSPs initially? Does that mean all pods are rejected? Or does an admin need a hardcoded override? Or should lack of any PSP be interpreted as no PSP required. How does this work on OS and how do you see it working here?
There was a problem hiding this comment.
In OpenShift we bootstrap infrastructure policies on cluster start and also provide reconciliation commands that can be used during the upgrade process. This is how our default policies and grants are created.
Here, we can either choose to add a bootstrapping process or make the assumption that if no policies exist that none will be enforced which is backwards compatible. @smarterclayton WDYT?
There was a problem hiding this comment.
I went ahead and made this a configuration option for the plugin since there was no decision.
eparis
added
the
lgtm
|
rebased |
k8s-github-robot
removed
lgtm
pmorie
added
the
lgtm
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
lgtm
pmorie
added
lgtm
k8s-github-robot
added
the
needs-rebase
|
rebased |
k8s-github-robot
removed
lgtm
pmorie
added
the
lgtm
erictune
added
the
priority/important-soon
|
GCE e2e build/test passed for commit 65c8a1f. |
|
Automatic merge from submit-queue |
Still working on removing the non-relevant parts of the tests but I wanted to get this open to start soliciting feedback.
@liggitt @pmorie - this is the simple implementation requested that assumes all PSPs should be checked for each requests. It is a slimmed down version of our SCC admission controller
@erictune @smarterclayton