Switch to checking pod objects created by Argo rather than Workflow objects

nebari-dev / nebari-workflow-controller

A WIP kubernetes admission controller to control what workflows can be deployed by which users

BSD 3-Clause "New" or "Revised" License

0 stars 2 forks source link

Switch to checking pod objects created by Argo rather than Workflow objects #6

Closed Adam-D-Lewis closed 1 year ago

Adam-D-Lewis commented 1 year ago

Context

Argo Workflows can create Workflows in many different ways (dag, steps, container, script). This makes it difficult to ensure users are not able to mount PVCs they shouldn't be able to mount. A better solution is to check create a Validating Admission Controller on pods created by Argo rather than on Workflow objects. My one hesitation is that I'm not sure if Argo Workflows will relay the reason why the pod is unschedulable back to the user.

Adam-D-Lewis commented 1 year ago

I'm pretty sure I resolved this and currently prefer checking the created workflows since it has less chance of breaking other things.