-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for downwardAPI in projected volumes #13896
add support for downwardAPI in projected volumes #13896
Conversation
e5b2ac1
to
7ce2fbd
Compare
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #13896 +/- ##
==========================================
- Coverage 86.22% 86.21% -0.01%
==========================================
Files 199 199
Lines 14706 14749 +43
==========================================
+ Hits 12680 12716 +36
- Misses 1727 1731 +4
- Partials 299 302 +3
... and 2 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report in Codecov by Sentry. |
* Implicit memory aliasing in for loop. (gosec)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we want to guard the pod metadata like nodeName
behind the same flag that's used for environment variables.
// Disallowed fields | ||
// This list is unnecessary, but added here for clarity | ||
out.DownwardAPI = nil | ||
// TODO(KauzClay): Should this be behind a feature flag like EmptyDir? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dprotaso for a call on this; I think this was an oversight and we already allow many of these fields through.
Do we want to limit the pod metadata fields?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah let's limit the fields to just metadata.*
I agree with my past self here - #4190 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we established that downwardAPI currently only exposes metadata.*
.
Now I'm wondering if we should be defensive here...
This fixes #4190 |
If we do make this limited via the Or just entries that specify |
Looking at https://kubernetes.io/docs/concepts/workloads/pods/downward-api/#available-fields and #4190, I'm less concerned about exposing all the fields without a flag. My particular
It looks like those fields only get exposed via environment variables, so I'd be okay without needing a flag-guard. I'd like to hear from @dprotaso as well. The other fields mentioned in #4190 are:
|
8b2a056
to
f76859f
Compare
@evankanderson okay, thanks for explaining more, I think I'm understanding now. For now, I removed my wip commit to wholesale enable/disable DownwardAPI via a flag. As far as faking the metadata.name/uid, if that is decided, would that be a separate PR? |
That was more of a note for compatibility between this (OSS) implementation and other implementations which may not be Kubernetes-based. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: evankanderson, KauzClay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @KauzClay
This in theory should be the same as invoking
In my view this is benign
+1 We could gate the other properties that aren't supported through volumes but it's not worth being so defensive and we can do that latter if the upstream changes. /lgtm |
Fixes #4190
Proposed Changes
Release Note