-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default to deny all security policy. #1320
Conversation
@SeanTAllen , I don't remember why we didn't do this to start with? Is there something obvious I'm missing? |
@anmaxvl yes, because otherwise it would break existing deployments that need to be updated to have an allow all security policy. |
@SeanTAllen would the approach in this PR work? |
@anmaxvl I dont see what this PR accomplishes. Its not really defaulting to closed as the absence of a policy then switches it to open so... its the same thing as it is now. |
dbcfed1
to
ff9a733
Compare
@SeanTAllen , I updated the commit and PR description a bit. So what this PR is making sure that GCS won't accept any supported requests before the policy is set. Also we make an assumption in this PR, that if no security policy is set, that it means that everything is allowed. |
Got it. |
All I can think of is we'll need to make sure we don't try to do any operations that policy would deny between UVM startup and when we set the policy to open. But assuming you've tested creating a pod and it still works I think we are good. |
When bringing up the UVM default to closed door security policy to reject any modification requests prior to security policy is set inside GCS. When security policy is empty, default to open door policy. Signed-off-by: Maksim An <maksiman@microsoft.com>
ff9a733
to
1c18d6e
Compare
@anmaxvl I see you assigned me to this, was there something specific you're looking for me to do? I already approved so unless something changes it's good to go from my perspective. We would just need another reviewer in that case. |
no, nothing. I think we usually self-assign when doing a review, so I just did that. agree, that we need another pair of eyes here. @microsoft/containerplat |
When bringing up the UVM default to closed door security policy to reject any modification requests prior to security policy is set inside GCS. When security policy is empty, default to open door policy. Signed-off-by: Maksim An <maksiman@microsoft.com>
When bringing up the UVM default to closed door security policy to reject any modification requests prior to security policy is set inside GCS. When security policy is empty, default to open door policy. Signed-off-by: Maksim An <maksiman@microsoft.com>
When bringing up the UVM default to closed door security policy
to reject any modification requests prior to security policy is set
inside GCS.
When security policy is empty, default to open door policy.
Signed-off-by: Maksim An maksiman@microsoft.com