search

stefanprodan / timoni

Timoni is a package manager for Kubernetes, powered by CUE and inspired by Helm.
https://timoni.sh
Apache License 2.0
1.45k stars 66 forks source link

PodSecurity Violation #322

Closed Nalum closed 6 months ago

Nalum commented 6 months ago

Working on a module for trust-manager I've hit a possible nice to have, I installed my cert-manager module which sets up a restricted PodSecurity on the cert-manager namespace, I then install trust-manager but get a warning from timoni about violating the PodSecurity:

9:33AM INF would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), hostPort (container "trust-manager" uses hostPorts 6443, 9402) logger=KubeAPIWarningLogger

Timoni continues on with the apply, would it be better to kill the apply at this point rather then have it eventually timeout?

stefanprodan commented 6 months ago

Timoni can't break the execution on warning messages, PodSecurity does not fail the apply like a validation webhook would do, it just issues a message. Warning messages are issued by the API for all sorts of situations, for example deprecated fields, so stopping the apply would be a mistake.

Nalum commented 6 months ago

Ah so it'd need to parse the message and that is definitely not something we'd want to do. Grand.

stefanprodan commented 6 months ago

We can't parse the warning, these get logged by the underling client-go logger, these are not errors retuned by the SSA operations.