dougbtv
commented
5 years ago Other thoughts I had:
Some limitations as it stands: This only handles the comma delimited format (it might false reject valid items in the JSON format), as it needs tighter integration with Multus (as a library?) to let Multus actually have the smarts about the annotations (where this cares more about gating it). It also only looks at annotations on pods -- I'm unsure if this will cause some type of "sneaking-through" of the annotations if created as part of something else (like something else that makes pods, like if it's packed in a deployment). That's the only upside I see of having the logic in Multus is just that I know for sure that it processed the annotation, I'm not sure what I'm missing.
Works in a rather basic fashion, essentially admits based on the presence of the NPWG-style annotation and then disallows any of those which container a reference a non-local namespace, that is -- by the presence of a
/in the value of the annotation.Needs: testing.
Has had some manual testing. However, this watches only pods -- Unsure what happens when say, you have the annotation elsewhere, like, what if you have the pod created by a deployment? That part I don't know.