Do not allow to change webhooks enabled on the fly #16980
Comments
sleshchenko
added
kind/task
|
Makes sense to me, the only concern is if there's an issue with OLM. In terms of local development, we shouldn't be impacted too heavily -- I don't know if you meant to link to the first two PRs in the Che repo, though 😄 |
|
If I'm understanding correctly you're trying to find out if uninstalling the operator will remove all the workspaces? I've just tried it out using https://github.com/davidfestal/summi-at-sites-workspace-operator-bundle and it looks like the workspaces themselves stay and an error message pops up when uninstalling that says: "This will remove operator Che Workspace Operator from all namespaces. Your application will keep running, but it will no longer receive updates or configuration changes." I wonder if there's any way from inside the operator that we can detect if we are in the process of being uninstalled so that we can clean up any existing workspaces |
benoitf
added
the
new¬eworthy
This comment has been minimized.
This comment has been minimized.
Is your task related to a problem? Please describe.
Currently, there two aspects that could lead to privileges escalation:
webhooks.enabled: falseand all tokens previously injected into workspaces are not secured anymore.Despite the fact it was handy for local development - it's not safe things to do, so it's proposed to:
Then once operator is removed - it won't be possible to do any exec in any pods (even not related to workspaces since exec subresource does not support labels). So, admin is supposed to make sure that all workspace-related resources are removed and after that manually remove webhooks.
implemented
If an admin really needs to disable webhooks - it's their responsibility to make sure that all workspaces are stopped, remove webhooks and then reconfigure and restart controller.
The text was updated successfully, but these errors were encountered: