Comments (10)
k8s-ci-robot
commented on June 24, 2024
This issue is currently awaiting triage.
If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from kubernetes.
cck1860
commented on June 24, 2024
/sig Policy
from kubernetes.
k8s-ci-robot
commented on June 24, 2024
@cck1860: The label(s) sig/policy cannot be applied, because the repository doesn't have them.
In response to this:
/sig Policy
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from kubernetes.
cck1860
commented on June 24, 2024
/sig Security
from kubernetes.
neolit123
commented on June 24, 2024
/sig auth
from kubernetes.
ritazh
commented on June 24, 2024
/assign @stlaz
from kubernetes.
stlaz
commented on June 24, 2024
Enforcement is actually not run on the pod controllers (such as Deployment), meaning that the enforce label is ignored and only the "warn" label applies for client-side warnings.
On the contrary, the warn-level admission is not run when the enforcement fails.
@liggitt you added this code originally, does running the warn admission on a pod that already failed the enforcement check make sense? Or, perhaps from the other side, should we run enforcement at warn level for pod controllers, and then running the warn admission again?
Are we even able to convey warnings along with errors to the client side?
from kubernetes.
liggitt
commented on June 24, 2024
/remove-kind bug
/kind documentation
/close
The reason we only issue warnings at the controller level is because we don't know the pod will be disallowed until a creation is actually attempted and any mutating admission plugins interact with the create attempt.
Audit and Warn modes are also checked on resource types that embed a PodTemplate (enumerated below), but enforce mode only applies to actual pod resources.
Since users do not create pods directly in the typical deployment model, the warning mechanism is only effective if it can also warn on templated pod resources. Similarly, for audit it is useful to tie the audited violation back to the requesting user, so audit will also apply to templated pod resources. In the interest of supporting mutating admission controllers, policies will only be enforced on actual pods.
To help catch violations early, both the audit and warning modes are applied to the workload resources. However, enforce mode is not applied to workload resources, only to the resulting pod objects.
from kubernetes.
k8s-ci-robot
commented on June 24, 2024
@liggitt: Closing this issue.
In response to this:
/remove-kind bug
/kind documentation
/closeThe reason we only issue warnings at the controller level is because we don't know the pod will be disallowed until a creation is actually attempted and any mutating admission plugins interact with the create attempt.
Audit and Warn modes are also checked on resource types that embed a PodTemplate (enumerated below), but enforce mode only applies to actual pod resources.
Since users do not create pods directly in the typical deployment model, the warning mechanism is only effective if it can also warn on templated pod resources. Similarly, for audit it is useful to tie the audited violation back to the requesting user, so audit will also apply to templated pod resources. In the interest of supporting mutating admission controllers, policies will only be enforced on actual pods.
To help catch violations early, both the audit and warning modes are applied to the workload resources. However, enforce mode is not applied to workload resources, only to the resulting pod objects.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
from kubernetes.
liggitt
commented on June 24, 2024
@liggitt you added this code originally, does running the warn admission on a pod that already failed the enforcement check make sense?
Rejecting the pod (enforce) takes precedence over warning.
from kubernetes.
Related Issues (20)
- Add Limit and Continue to ListRestrictions on client-go HOT 4
- [Flaking test] TestPolicyAdmission/.v1.bindings/create HOT 1
- [FG:InPlacePodVerticalScaling] Pod Resize - resize stuck "InProgress" when only resizing memory requests HOT 5
- RuntimeHandlerResolver: interface invalid nil checking HOT 5
- When Deployment is editing replicas and strategy simultaneously, it may get stuck and not continue to execute HOT 3
- 1.31 Release Notes: "Known Issues" HOT 1
- Node reboot leaving existing pod using resources stuck with error UnexpectedAdmissionError HOT 5
- kube-apiserver oom, list resource consume too much memory cause json decode HOT 6
- Flaky test failure in staging/src/k8s.io/client-go/util/workqueue HOT 11
- client-go: fake.Clientset doesn't support streaming custom logs HOT 3
- Tracking issue: evaluating dependencies with non-CNCF CLAs HOT 9
- Support HTTP2 probes over cleartext (h2c) HOT 11
- The startup time of the init container is later than that of the application container. HOT 3
- Can't get secrets when adding imagePullSecrets HOT 3
- [Flaking test] [sig-node] Containers should use the image defaults if command and args are blank HOT 1
- kubectl --server-side --dry-run=server - wrong output for converting client side applied manifest HOT 3
- Node Labeling node.kubernetes.io/out-of-service Taint Label Delay HOT 2
- [FG:InPlacePodVerticalScaling] e2e test does not verify resource update in pod status HOT 3
- cronjob schedule with multiple conditions not working - conflict between day (week) and day (month) HOT 4
- NetPol block self pod trafic using an svc and not direct call HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes.