Allow k8s workload attestation when container is not ready #3460
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change introduces a new configurable, `disable_container_selectors` which configures the K8s Workload Attestor to only produce pod-related selectors. This allows for workload attesation to succeed when the attestor can positively locate the workload pod but cannot yet locate the workload container at the time of attestation (e.g. postStart hook is still executing). See issue spiffe#3092 for more details. Fixes: spiffe#3092 Signed-off-by: Andrew Harding <[email protected]>
azdagron
requested review from
evan2645,
amartinezfayo,
MarcosDY and
rturner3
as code owners
MarcosDY
reviewed
Sep 26, 2022
| // succeed with just pod related selectors when the workload pod is known | ||
| // but the container may not be in a ready state at the time of attestation | ||
| // (e.g. when a postStart hook has yet to complete). | ||
| DisableContainerSelectors bool `hcl:"disable_container_selectors"` |
There was a problem hiding this comment.
This config will work on windows to get only pod information, but we requires to have containerID in order to get the pod metadata. I'm not sure if we can just allow this in case someone is not interested to have container metadata?
| s.requireAttestSuccess(p, testPodSelectors) | ||
| } | ||
|
|
||
| func (s *Suite) TestAttestWhenContainerNotReadyButContainerSelectorsDisabled() { |
There was a problem hiding this comment.
this test will not work on windows since we require ContainerID in order to get pod
Signed-off-by: Andrew Harding <[email protected]>
Signed-off-by: Andrew Harding <[email protected]>
Signed-off-by: Andrew Harding <[email protected]>
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
This change introduces a new configurable, `disable_container_selectors` which configures the K8s Workload Attestor to only produce pod-related selectors. This allows for workload attesation to succeed when the attestor can positively locate the workload pod but cannot yet locate the workload container at the time of attestation (e.g. postStart hook is still executing). See issue spiffe#3092 for more details. Fixes: spiffe#3092 Signed-off-by: Andrew Harding <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change introduces a new configurable,
disable_container_selectorswhich configures the K8s Workload Attestor to only produce pod-related selectors. This allows for workload attesation to succeed when the attestor can positively locate the workload pod but cannot yet locate the workload container at the time of attestation (e.g. postStart hook is still executing).See issue #3092 for more details.
Fixes: #3092