and then upgraded the helm chart. After doing so, I was able to exec into a pod named abc. However, I was surprised that this also allowed me to exec into any pod that starts with the string abc. So I could exec into pods named:
abcd
abcde
and so on.
I think this is a bug and if it is not, I think this should be more clearly stated on the GitHub page. Thanks
Update
Looking at the code, it looks like this is by design because you expect resources to be created by controllers, etc. This is what I ran into when I looked at exception.go:
// Compile returns a CompiledExemption
func (r *RawExemption) Compile() CompiledExemption {
// if not specified, assume it's the field matches all
// ensure that ResourceName has a trailing glob so it can match the IDs added by certain resource types
// ie, Deployment pod name test-pod, ReplicaSet name test-pod-sdf932, PodName test-pod-sdf932-ew92
if !strings.HasSuffix(r.ResourceName, "*") {
r.ResourceName = r.ResourceName + "*"
}
if r.ClusterName == "" {
r.ClusterName = "*"
}
if r.Namespace == "" {
r.Namespace = "*"
}
if r.Username == "" {
r.Username = "*"
}
if r.Group == "" {
r.Group = "*"
}
if len(r.ExemptPolicies) == 0 {
r.ExemptPolicies = []string{"*"}
}
so it might be useful to add something about this in the README.md
I was experimenting with creating exemptions and added the following exemption to values.yaml:
and then upgraded the helm chart. After doing so, I was able to exec into a pod named abc. However, I was surprised that this also allowed me to exec into any pod that starts with the string abc. So I could exec into pods named:
and so on.
I think this is a bug and if it is not, I think this should be more clearly stated on the GitHub page. Thanks
Update
Looking at the code, it looks like this is by design because you expect resources to be created by controllers, etc. This is what I ran into when I looked at exception.go:
so it might be useful to add something about this in the README.md