Uploaded image for project: 'Operator Runtime'
  1. Operator Runtime
  2. OPRUN-3217

Admission webhook to restrict usage of Carvel APIs

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • None
    • None
    • Future Sustainability
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • Phlogiston 250

      Description

      Add a validating admission webhook to the operator-controller project that only permits requests made by the operator-controller and kapp-controller service accounts. All other requests should be rejected.

      Motivation

      There are two primary motivations for locking down use of Carvel APIs:

      1. We are not yet maintainers or trusted with embargoed security notifications about Carvel. Operator Framework vendors go module dependencies without these relationships, which is allowable because we control the use of those dependencies. By restricting access to Carvel APIs, we put Carvel at the same level as other vendored dependencies.
      2. We are not prepared to support the full surface area of the Carvel APIs.

       

              mradchuk@redhat.com Mikalai Radchuk (Inactive)
              jlanford@redhat.com Joe Lanford
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: