Add ability to convert K8s Obj to PSP #29
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@mstemm it looks good to me, could you please also update the |
Kaizhe
suggested changes
Oct 14, 2019
Kaizhe
reviewed
Oct 15, 2019
Kaizhe
approved these changes
Oct 15, 2019
Add the ability to convert a single K8s Object to a Pod Security Policy,
instead of reading all objects from a live cluster.
- Add spf13/cobra to add subcommands "inspect", which covers the
existing functionality, and "convert", which converts a single K8s
Object as a yaml file.
- Move the code that generates a PodSecurityPolicy from lists of
ContainerSecuritySpec/PodSecuritySpec to a standalone package in
generator/generator.go. It only has a few minor changes:
- It has a struct so it's more like an object than a standalone
function.
- The provided service account is optional. When not provided
e.g. nil, "secret" is always added as an allowed volume type.
- When used by the converter, the namespace and serverGitVersion
are set to default values "default" and "v1.11", which allows
enforcement of ReadOnly filesystems.
- Error handling at the top level is done by log.Fatalf instead of
panic(), to make problems like incorrect arguments a bit more
graceful.
- Add logging at least for the conversion path, showing the files that
are read and written at debug level.
mstemm
force-pushed
the
allow-psp-gen-files
branch
from
4b19f5f to
cc6425d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add the ability to convert a single K8s Object to a Pod Security Policy,
instead of reading all objects from a live cluster.
Add spf13/cobra to add subcommands "inspect", which covers the
existing functionality, and "convert", which converts a single K8s
Object as a yaml file.
Move the code that generates a PodSecurityPolicy from lists of
ContainerSecuritySpec/PodSecuritySpec to a standalone package in
generator/generator.go. It only has a few minor changes:
It has a struct so it's more like an object than a standalone
function.
The provided service account is optional. When not provided
e.g. nil, "secret" is always added as an allowed volume type.
When used by the converter, the namespace and serverGitVersion
are set to default values "default" and "v1.11", which allows
enforcement of ReadOnly filesystems.
Error handling at the top level is done by log.Fatalf instead of
panic(), to make problems like incorrect arguments a bit more
graceful.
Add logging at least for the conversion path, showing the files that
are read and written at debug level.