Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider restricting FlagSourceConfiguration CRD #517

Closed
3 tasks done
Tracked by #528
Kavindu-Dodan opened this issue Aug 7, 2023 · 3 comments · Fixed by #550
Closed
3 tasks done
Tracked by #528

Consider restricting FlagSourceConfiguration CRD #517

Kavindu-Dodan opened this issue Aug 7, 2023 · 3 comments · Fixed by #550
Assignees
@odubajDT

Comments

@Kavindu-Dodan
Copy link
Contributor

Kavindu-Dodan commented Aug 7, 2023
edited by odubajDT
Loading

Pre-requisites:

This issue was derived from comment #514 (comment)

OpenFeature operator supports configurability of flagd sidecar image & tag through two options,

  • As startup arguments of the operator (using helm/K8s yaml) 1
  • Using FlagSourceConfiguration's image & tag override options 2

The latter has a potential security impact as the side-car injection can be controlled based on the CRD definition of the respective deployment.

Solution

For a given operator deployment, it is best to fix the sidecar image & tag and disallow any other overloading options. This means, keeping the Operator startup option and removing the option provided through FlagSourceConfiguration crd.

Discussion

Consider following when doing this,

Footnotes

  1. https://github.com/open-feature/open-feature-operator/blob/v0.2.35/main.go?rgh-link-date=2023-08-03T18%3A11%3A45Z#L93-L109

  2. https://github.com/open-feature/open-feature-operator/blob/v0.2.35/docs/flag_source_configuration.md#sidecar-configurations

@Kavindu-Dodan Kavindu-Dodan mentioned this issue Aug 7, 2023
Merged
@Kavindu-Dodan Kavindu-Dodan mentioned this issue Oct 18, 2023
Closed
@odubajDT
Copy link
Contributor

odubajDT commented Oct 19, 2023
edited
Loading

The configurability of the flagd sidecar via startup arguments (image & tag) is not part of the implementation yet and needs to be implemented separately. I would probably consider implementing this properly with tests after the implementation of v1beta1 is merged (but definitely before it's released, so we do not have breaking changes). WDYT @Kavindu-Dodan @toddbaert ?

@odubajDT odubajDT mentioned this issue Oct 23, 2023
Closed
@Kavindu-Dodan
Copy link
Contributor Author

@odubajDT Actually this is already there but hidden inside a configuration loader 1 and not well document

Going forward we should only allow this configuration loading (+ document this behaviour) and disallow change through CRD

Footnotes

@odubajDT odubajDT mentioned this issue Oct 24, 2023
Closed
@odubajDT odubajDT self-assigned this Nov 17, 2023
@odubajDT
Copy link
Contributor

@odubajDT Actually this is already there but hidden inside a configuration loader 1 and not well document

Going forward we should only allow this configuration loading (+ document this behaviour) and disallow change through CRD

Footnotes

1. * https://github.com/open-feature/open-feature-operator/blob/v0.2.35/controllers/common/flagd-proxy.go#L68-L75
   
   [↩](#user-content-fnref-1-51f87aad3da9155b04a47936f7360f75)

If I am correct, this is an image + tag for the flagd-proxy, but not for the flagd sidecar, I guess we want the same behavior here

This was referenced Nov 17, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@odubajDT odubajDT

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: restricting sidecar image and tag setup odubajDT/open-feature-operator
2 participants
@Kavindu-Dodan @odubajDT