Restrict Deployment updates #1639
Replies: 6 comments 2 replies
-
|
/assign |
Beta Was this translation helpful? Give feedback.
-
|
In thinking about this, I'm not actually too sure I know how to write such a policy. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, its currently possible to restrict some fields via deny rules. However, allowing select fields to be updated is more involved as each fields in Seems like a declarative approach would be to allow the user to specify something like this: validate:
allowChanges:
- spec.replicas
- spec.template.spec.containers[*].imageThere also could be a |
Beta Was this translation helpful? Give feedback.
-
|
@chipzoller - any thoughts on the proposal above? |
Beta Was this translation helpful? Give feedback.
-
|
Seems like a good idea. One thought is there should be a way to invert those fields, maybe with an analog called |
Beta Was this translation helpful? Give feedback.
-
|
So, something like: validate:
denyChanges:
- spec.replicasor validate:
changes:
allow:
- spec.replicas
deny:
- spec.template.spec.containers[*].image |
Beta Was this translation helpful? Give feedback.
-
|
Yes, I was envisioning the former option, but the latter seems better. |
Beta Was this translation helpful? Give feedback.
-
|
Is there a solution for this use case since the suggestion doesn't seem to have been implemented? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
This would be a nice sample policy to support as an example of an advanced deny rule:
https://kubernetes.slack.com/archives/C0EN96KUY/p1613133305093600
Christiaan Vermeulen Today at 4:35 AM
Hey !
I have a general question (Don’t know if it’s the right place), but is it possible to limit the PATCH operation on a Deployment to only allow patching of image & replica ?
We are building an Operator which manages these for a cluster, but want to limit it’s permissions.
Beta Was this translation helpful? Give feedback.
All reactions