Open baijum opened 3 years ago
What if we use the existing containers
array, but allow container names to start with !
to negate the selection?
I'd generally discourage deny lists for security related tasks, but there are times when it's the pragmatic approach.
The current spec supports an allow-list for containers to limit which containers in the application are bound. Sometimes a deny-list for containers would be more appropriate. The deny-list would limit which containers in the application are not bound. The allow-list could be mutually exclusive with the deny-list (only one of them exist). I propose to add
.spec.application.skipContainers
field to specify the deny-list for containers.This can be added post 1.0 release in a backward-compatible way.