Stopped collection of mutations on DELETE operations

cruise-automation / k-rail

Kubernetes security tool for policy enforcement

Apache License 2.0

444 stars 55 forks source link

Stopped collection of mutations on DELETE operations #130

Open Kaezon opened 2 years ago

Kaezon commented 2 years ago

The Default Seccomp policy was mutating DELETE operations, which the k8s API does not accept. This was preventing the normal deletion of pods as long as this policy was enabled.

By adding an early return to the policy which avoids the processing of DELETE requests, #122 should be resolved.

Kaezon commented 2 years ago

Now that I'm thinking about it, maybe blocking the mutation of DELETE operations at a more global level would be a better approach. That would at least prevent future policies and plugins from causing this problem again.

Kaezon commented 2 years ago

I added a guard around the patch list append which prevents mutations from being collected for DELETE requests. This should effectively prevent future policies and plugins from mutating DELETE requests without interfering with other enforcement actions.

mark-adams commented 1 year ago

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!