Research a solution to allow operator rejects requests using not allowed Kubernetes API versions. #227
Labels
Comments
|
As an example, there is https://github.com/FairwindsOps/pluto as a CLI tool to discover deprecated apiVersions of resources. |
4 tasks
|
This is partially implemented by https://github.com/kubewarden/deprecated-api-versions-policy. It is missing a policy with an allowlist for api versions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bad actors could deploy workloads using features (API versions) not cover by the admission controller. Thus, bypassing the validations. We should look for a solution of how to prevent this to happen.
Issue from threat #14 of the threat model. One solution proposed during RFC discussions is a policy that rejects all the workloads using API version different from a defined allow list
NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible
The text was updated successfully, but these errors were encountered: