Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: remove pod/service account labeled check in webhook #720

Merged
merged 1 commit into from
Jan 26, 2023
Merged

feat: remove pod/service account labeled check in webhook #720

merged 1 commit into from
Jan 26, 2023

Conversation

aramase
Copy link
Member

@aramase aramase commented Jan 25, 2023
edited
Loading

Signed-off-by: Anish Ramasekar [email protected]

Reason for Change:

With the objectselector set in mwh, only pods that have the label azure.workload.identity/use: "true" will be sent to the webhook for mutation. We no longer need the check for pod/service account labeled.

Requirements

  • squashed commits
  • included documentation
  • added unit tests and e2e tests (if applicable).

Issue Fixed:

fixes #658

Please answer the following questions with yes/no:

Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?

  • yes
  • no

Notes for Reviewers:

@aramase aramase marked this pull request as ready for review January 25, 2023 07:57
@aramase aramase requested a review from enj January 25, 2023 23:49
@enj
Copy link
Member

enj commented Jan 26, 2023

client id env var will be empty

@aramase what exactly does that mean for the app?

enj
enj reviewed Jan 26, 2023
View reviewed changes
pkg/webhook/webhook.go Show resolved Hide resolved
pkg/webhook/webhook.go Outdated Show resolved Hide resolved
pkg/webhook/webhook.go Outdated Show resolved Hide resolved
@aramase
Copy link
Member Author

aramase commented Jan 26, 2023

client id env var will be empty

@aramase what exactly does that mean for the app?

If the app relies on AZURE_CLIENT_ID env var, then the token request will fail.

Either the service account is created simultaneously when the pod is created and we don't see it while mutating or the service account doesn't exist in which case pod will fail with service account not found?

@aramase aramase force-pushed the aramase/f/658 branch 2 times, most recently from 9cbceb7 to 733d66e Compare January 26, 2023 16:59
@aramase aramase requested a review from enj January 26, 2023 16:59
@aramase aramase enabled auto-merge (squash) January 26, 2023 17:28
@aramase
feat: remove pod/service account labeled check in webhook
3bfdef2 
With the objectselector set in mwh, only pods that have the label
`azure.workload.identity/use: "true"` will be sent to the webhook for
mutation. We no longer need the check for pod/service account labeled.

Signed-off-by: Anish Ramasekar <[email protected]>
@aramase aramase merged commit 8c37dc1 into Azure:main Jan 26, 2023
@aramase aramase deleted the aramase/f/658 branch January 26, 2023 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enj enj enj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make the m.reader.Get branch return admission.Allowed when the SA is not found
2 participants
@aramase @enj