kyma-webhook-poc

module
v0.0.0-...-31ae10e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2021 License: Apache-2.0

README

TODO:

  • proper logging - done

  • securityContexts etc - done

  • istio-sidecar? - for now doesn't work, we might have to add destinationRule or sth else

  • production/eval profiles ? - still not done

  • readiness/liveness probes - done

  • prometheus metrics - provided out of the box, done

  • exempt serviceaccounts from denied namespaces (from iteration review)

  • serviceacounts -> handled already

  • groups/users -> see gke-user.png

  • kubectl exec -> denied, special verb for that action is CONNECT (see webhooks[].rules.operations)

    • available verbs are:
      • CONNECT
      • CREATE
      • UPDATE
      • DELETE

  • kubectl logs -> allowed

  • kubectl get,list,watch -> allowed (- do not block reading (from iteration review))

  • Which kubeconfig is used to install Kyma - Still don't know

kubectl -n kyma-system run busybox --image busybox --as=system:serviceaccount:default:test-deny -- sh -c "echo something; sleep 10000"

Directories

Path Synopsis
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳