-
Notifications
You must be signed in to change notification settings - Fork 63
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add docs on resource mutation and validation
- Loading branch information
1 parent
92c069c
commit 2cf37c7
Showing
9 changed files
with
107 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,22 @@ | ||
## Validation Checks | ||
|
||
Note: The kube-system namespace, unlike other namespaces, has a "failPolicy" of "ignore" on update calls. | ||
Note: The `kube-system` namespace, unlike other namespaces, has a `failPolicy` of `ignore` on update calls. | ||
|
||
### Project annotation | ||
Verifies that the annotation `field.cattle.io/projectId` value can only be updated by users with the `manage-namespaces` | ||
verb on the project specified in the annotation. | ||
|
||
### PSA Label Validation | ||
|
||
Validates that users who create or edit a PSA enforcement label on a namespace have the `updatepsa` verb on `projects` in `management.cattle.io/v3`. See the [upstream docs](https://kubernetes.io/docs/concepts/security/pod-security-admission/) for more information on the effect of these labels. | ||
Validates that users who create or edit a PSA enforcement label on a namespace have the `updatepsa` verb on `projects` | ||
in `management.cattle.io/v3`. See the [upstream docs](https://kubernetes.io/docs/concepts/security/pod-security-admission/) | ||
for more information on the effect of these labels. | ||
|
||
The following labels are considered relevant labels for PSA enforcement: `"pod-security.kubernetes.io/enforce", "pod-security.kubernetes.io/enforce-version", "pod-security.kubernetes.io/audit", "pod-security.kubernetes.io/audit-version", "pod-security.kubernetes.io/warn", "pod-security.kubernetes.io/warn-version"`. | ||
The following labels are considered relevant for PSA enforcement: | ||
- pod-security.kubernetes.io/enforce | ||
- pod-security.kubernetes.io/enforce-version | ||
- pod-security.kubernetes.io/audit | ||
- pod-security.kubernetes.io/audit-version | ||
- pod-security.kubernetes.io/warn | ||
- pod-security.kubernetes.io/warn-version | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
## Validation Checks | ||
|
||
A secret cannot be deleted if its deletion request has an orphan policy, | ||
and the secret has roles or role bindings dependent on it. | ||
|
||
## Mutation Checks | ||
|
||
### On create | ||
|
||
For all secrets of type `provisioning.cattle.io/cloud-credential`, | ||
places a `field.cattle.io/creatorId` annotation with the name of the user as the value. | ||
|
||
### On delete | ||
|
||
Checks if there are any RoleBindings owned by this secret which provide access to a role granting access to this secret. | ||
If yes, the webhook redacts the role, so that it only grants a deletion permission. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
## Validation Checks | ||
|
||
### On update | ||
|
||
The desired value must not change on new spec unless it's equal to the `lockedValue` or `lockedValue` is nil. |
5 changes: 4 additions & 1 deletion
5
pkg/resources/management.cattle.io/v3/globalrole/GlobalRole.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
pkg/resources/management.cattle.io/v3/globalrolebinding/GlobalRoleBinding.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters