kuberesource: remove namespace when patching with empty string

edgelesssys / contrast

Deploy and manage confidential containers on Kubernetes

https://docs.edgeless.systems/contrast

GNU Affero General Public License v3.0

183 stars 7 forks source link

kuberesource: remove namespace when patching with empty string #465

Closed katexochen closed 4 months ago

katexochen commented 4 months ago

In the emojivoto-demo deployment YAML that we released with v0.6.0, the namespace is explicitly set to the empty string. While this is valid for Kubernetes (empty string is synonym to the default namespace), genpolicy can't handle these empty strings and will enforce in the policy the literal empty string, leading to the deployment being unable to start.

katexochen commented 4 months ago

Upstream fix in https://github.com/kata-containers/kata-containers/pull/9660

katexochen commented 4 months ago

Should we remove the namespace patching from the e2e release test? There should only be one in-flight, anyway.

Yes, if that won't mess up the cleanup, that might be a good idea.

edgelessci commented 4 months ago

Successfully created backport PR for release/v0.6:

edgelesssys / contrast

kuberesource: remove namespace when patching with empty string #465

467