Updating PolicyAttachment with new policy name does not replace attached policy

redradrat / aws-iam-operator

AWS IAM Operator for Kubernetes

Apache License 2.0

32 stars 7 forks source link

Updating PolicyAttachment with new policy name does not replace attached policy #5

Open SnehaMore20 opened 4 years ago

SnehaMore20 commented 4 years ago

Steps :

create a PolicyAttachment which attaches policy1 to role1.
update PolicyAttachment : change policy name to policy2 and apply the change.

Expected Behaviour : role1 should have policy2 attached and policy1 removed

Actual Behaviour : role1 has both the policies attached policy1 and policy2

Same issue happens when we update PolicyAttachment with new role

redradrat commented 3 years ago

Changing policy reference should not be possible. Not quite sure, how I'm able to restrict this. Upstream, k8s does not yet allow for CRD fields to be set to readOnly.

https://github.com/kubernetes/enhancements/blob/8b9b994136371f1bc938aabf012f4c45535d684c/keps/sig-api-machinery/20190603-immutable-fields.md

Solutions here would be:

waiting for upstream impl
implementing validating webhook