Remove uds-dev-stack namespace exclusion from Pepr defaults
#1193
Labels
operator
Issues pertaining to the UDS Operator (Pepr)
policy-engine
Issues pertaining to UDS Policy Engine (Pepr)
security
Comments
mjnagel
added
operator
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe what should be investigated or refactored
Currently uds-core ignores the
uds-dev-stacknamespace entirely for any pepr code (validations, mutations, watches). While this does make sense for the deployments of the dev/demo bundle this really should not be set by default for all core deployments as it represents an extra area of risk/namespace to audit.With the changes upstream in pepr we should be able to remove
uds-dev-stackfrom our defaults, and instead move it to the helm valueadditionalIgnoredNamespacesas a bundle override for the dev/demo bundles. This may need special handling for single-layer tests since they do not deploy with a bundle.Links to any relevant code
This will be dependent on defenseunicorns/pepr#1641 being released in a new Pepr version.
Additional context
This will be a breaking change that should be noted as such since end users could be relying on this namespace being ignored. It may also be worth noting this bundle override in the documentation to help in scenarios where there are other system namespaces that need to be ignored. This should be done with a note of caution due to the security implications of making this change.
The text was updated successfully, but these errors were encountered: