-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow wildcard value for namespaces in Alert eventSources #504
base: main
Are you sure you want to change the base?
Allow wildcard value for namespaces in Alert eventSources #504
Conversation
4dce5ea
to
5df068a
Compare
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
Signed-off-by: alekspog <[email protected]>
5d412ad
to
371ea46
Compare
Signed-off-by: alekspog <[email protected]>
There are security concerns related to this feature that were articulated in #71 (e.g. #71 (comment)). Given the mentioned RFC has never been merged, we need to think this over. In any case this will need to be held until notification-controller 1.0.0 has been released. Let's please take the time to completely discuss the threat model and potential mitigations here. |
I thought that disabling cross-namespace references should solve the security concern as was said there: Are there any ongoing discussions about the threat model? I see that fluxcd/flux2#2092 and fluxcd/flux2#2093 were closed both to wait for https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/3766-referencegrant/README.md |
any update on this? |
How about using regex matching for the namespace(s)? |
Hi! Is it correct to say that this PR is still on hold and we are waiting? |
Yes, pretty much. Current consensus is that we want to wait for the Kubernetes ReferenceGrant API to become GA which will definitely take a couple of Kubernetes releases to come. |
This feature request seems irrelevant to |
Hi, any update on this PR? |
Allow wildcard value for namespaces in Alert eventSources.
Fix: #71
At the moment we have to create a list of all HelmRelease objects, for example, in the
eventSources
section to be able to get notifications about them. We also need to update the list whenever a new object is added. That requires lots of effort. It seems that the best way is to allow wildcards for namespaces.How the Alert
eventSources
definition looks now:How it would be after the change: