servicebinding / spec

Specification for binding services to k8s workloads
https://servicebinding.io
Apache License 2.0
92 stars 35 forks source link

Deny list for containers to limit which containers in the application are not bound #163

Open baijum opened 3 years ago

baijum commented 3 years ago

The current spec supports an allow-list for containers to limit which containers in the application are bound. Sometimes a deny-list for containers would be more appropriate. The deny-list would limit which containers in the application are not bound. The allow-list could be mutually exclusive with the deny-list (only one of them exist). I propose to add .spec.application.skipContainers field to specify the deny-list for containers.

This can be added post 1.0 release in a backward-compatible way.

scothis commented 3 years ago

What if we use the existing containers array, but allow container names to start with ! to negate the selection?

I'd generally discourage deny lists for security related tasks, but there are times when it's the pragmatic approach.