-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a setting disallowing access to all namespaces #7237
Add a setting disallowing access to all namespaces #7237
Conversation
@chmouel any reason to not change the default value as well ? |
The following is the coverage report on the affected files.
|
00a8f90
to
823f45b
Compare
The following is the coverage report on the affected files.
|
I didn't think it's fair to our users to change the default behavior unless it's decided to be a security issue in #7236 then i guess we should change the default to star... We could as well make empty value ("") in blocked-namespaces disallowing everything by default and allowed-namespaces == * allow everything if we wanted too... which does seem a tiny bit more logical but either way i am fine.. |
The following is the coverage report on the affected files.
|
/kind feature |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
cc @abayer |
With the cluster resolver we allow access to all namespaces by default if empty. This is not always desirable and we should have a way to only allow explicitly the namespaces that are allowed. Let the user configure the `blocked-namespaces` setting to `*` to disallow all namespaces by default and only allow access to namespaces with the `allowed-namespaces` setting. Signed-off-by: Chmouel Boudjnah <[email protected]>
66f70cb
to
64f73ec
Compare
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester, Yongxuanzhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The following is the coverage report on the affected files.
|
The following is the coverage report on the affected files.
|
/lgtm |
With the cluster resolver we allow access to all namespaces by default if empty. This is not always desirable and we should have a way to only allow explicitly the namespaces that are allowed.
Let the user configure the
blocked-namespaces
setting to*
to disallow all namespaces by default and only allow access to namespaces with theallowed-namespaces
setting.Changes
Submitter Checklist
As the author of this PR, please check off the items in this checklist:
/kind <type>
. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tepRelease Notes