Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require tenants to block the latest Tag #273

Closed
bsctl opened this issue May 31, 2021 · 3 comments
Closed

Require tenants to block the latest Tag #273

bsctl opened this issue May 31, 2021 · 3 comments
Labels
blocked-needs-validation Issue need triage and validation enhancement New feature or request

Comments

@bsctl
Copy link
Member

bsctl commented May 31, 2021

Describe the feature

The :latest tag is mutable and can lead to unexpected errors if the image changes. A best practice is to use an immutable tag that maps to a specific version of an application pod. Always considered a bad practice, we still see people and examples out there to use it. In a multitenancy environment, the cluster admin can disallow tenants to use this bad practice.

What would the new user story look like?

  1. the cluster admin creates a tenant manifest as:
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: oil
spec:
  owner:
    name: alice
    kind: User
  allowedLatestImageTag: true
  1. Tenant owner creates a new Namespace
  2. This is going to be attached to the Tenant
  3. Tenant owner cannot create pods with latest tag image. When not specified, any value is admitted.

Expected behavior

see above

@bsctl bsctl added enhancement New feature or request blocked-needs-validation Issue need triage and validation labels May 31, 2021
@bsctl bsctl added this to the v0.1.0 milestone May 31, 2021
@prometherion
Copy link
Member

Is this something related to the multi-tenancy benchmark?

Asking this because we had a discussion on #132 and we agreed on implementing this once the Policy Engine is set.

@bsctl
Copy link
Member Author

bsctl commented Jun 3, 2021

@prometherion yep, it's correct. Currently, it's not part of the multi-tenancy benchmark and it's proposing the same of #132. I suggest to keep it open till the Policy Engine implementation, just to avoid people to suggest the same once again. And it happened to me too ;)

@bsctl bsctl removed this from the v0.1.0 milestone Jun 3, 2021
@prometherion
Copy link
Member

Implemented with v1beta1 (#286) and by commit 4166093.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked-needs-validation Issue need triage and validation enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants