Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

genpolicy-msft: remove settings patch for env #159

Merged
merged 1 commit into from
Feb 19, 2024
Merged

genpolicy-msft: remove settings patch for env #159

merged 1 commit into from
Feb 19, 2024

Conversation

burgerdev
Copy link
Contributor

@burgerdev burgerdev commented Feb 13, 2024
edited
Loading

The genpolicy-settings.json allow overriding the permissible set of
environment variables, and come with a generic list of env vars suitable
for the AKS environment.

We want to have a dev setting that allows debugging (e.g. pod network
settings like iptables), but that is otherwise as close to the upstream
as possible. Environment variable allowlists are generated by genpolicy,
and should thus not need blanket exemptions, even in dev setups. Thus,
we remove the blanket allowlist and work around the limitations in our
deployment yaml.

@burgerdev
Copy link
Contributor Author

cc @3u13r: Depending on how the demodir images are built, they may stop working with this change. There are two workarounds:

  • Include a PATH in the image env.
  • Include a PATH in the k8s yaml.
  • Wait for the upstream fix.

Please let me know which way you'd prefer.

@burgerdev burgerdev requested a review from 3u13r February 13, 2024 16:04
@burgerdev burgerdev added the needs: external unblock Blocked by an external cause label Feb 14, 2024
@burgerdev
Copy link
Contributor Author

I split this PR: the added PATH vars now go into #156 to unblock that, while the settings change stays here - potentially blocked until we fix the demo images.

@3u13r
Copy link
Member

3u13r commented Feb 14, 2024

Which demo images do you mean? I assume not the ones we build in this project. Do you mean the emojivoto images? For those I favor fixing it in the yaml for now and see if upstream fixes this eventually.

@burgerdev
Copy link
Contributor Author

Yes, emojovoto - I meant the images for just demodir. Let me check which of these do need a PATH setting.

@burgerdev
Copy link
Contributor Author

Turns out none of them do, as they are all produced with buildkit.

@burgerdev burgerdev removed the needs: external unblock Blocked by an external cause label Feb 15, 2024
@burgerdev
genpolicy-msft: remove settings patch for env
ac8d9d4 
The genpolicy-settings.json allow overriding the permissible set of
environment variables, and come with a generic list of env vars suitable
for the AKS environment.

We want to have a dev setting that allows debugging (e.g. pod network
settings like iptables), but that is otherwise as close to the upstream
as possible. Environment variable allowlists are generated by genpolicy,
and should thus not need blanket exemptions, even in dev setups. Thus,
we remove the blanket allowlist and work around the limitations in our
deployment yaml.
@burgerdev
Copy link
Contributor Author

With the changes from #156 this is now good to go, ptal.

@burgerdev burgerdev merged commit fe1afa8 into main Feb 19, 2024
5 checks passed
@burgerdev burgerdev deleted the burgerdev/policy branch February 19, 2024 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@katexochen katexochen katexochen approved these changes

@3u13r 3u13r Awaiting requested review from 3u13r

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@burgerdev @3u13r @katexochen