-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider restricting FlagSourceConfiguration CRD #517
Comments
The configurability of the flagd sidecar via startup arguments (image & tag) is not part of the implementation yet and needs to be implemented separately. I would probably consider implementing this properly with tests after the implementation of v1beta1 is merged (but definitely before it's released, so we do not have breaking changes). WDYT @Kavindu-Dodan @toddbaert ? |
If I am correct, this is an image + tag for the flagd-proxy, but not for the flagd sidecar, I guess we want the same behavior here |
Pre-requisites:
v1beta1
API version #529v1beta1
in OFO logic #531This issue was derived from comment #514 (comment)
OpenFeature operator supports configurability of flagd sidecar image & tag through two options,
The latter has a potential security impact as the side-car injection can be controlled based on the CRD definition of the respective deployment.
Solution
For a given operator deployment, it is best to fix the sidecar image & tag and disallow any other overloading options. This means, keeping the Operator startup option and removing the option provided through
FlagSourceConfiguration
crd.Discussion
Consider following when doing this,
Footnotes
https://github.com/open-feature/open-feature-operator/blob/v0.2.35/main.go?rgh-link-date=2023-08-03T18%3A11%3A45Z#L93-L109 ↩
https://github.com/open-feature/open-feature-operator/blob/v0.2.35/docs/flag_source_configuration.md#sidecar-configurations ↩
The text was updated successfully, but these errors were encountered: