kfox1111
kfox1111
Sorry. I said attributes, but was really intending to say annotations: https://kubernetes.io/docs/user-guide/annotations/ Other systems like Prometheus use them to tag pods. For example, as needing to be scraped.
https://github.com/kubernetes/kubernetes/issues/57049 is related.
Pausing wouldn't help as it would mostly have the same effect. Making the upper clusers workload unavailable. It also breaks the usage contract. Let me go though an concrete example...
+1 to doing it via prometheus rather then its own thing.
I don't think it has to be an either/or thing. I believe other projects use Kubernetes style yaml apis but use their own api implementations that accept them. So if...
Yeah. I implemented something like that for the helm chart. What I'm not sure about is on the pam side. How does one securely configure the pam module to talk...
Looks like opa supports unix sockets: https://github.com/open-policy-agent/opa/pull/752 That could be part of the solution if the pam side supports it. Can you configure the authz module in opa to base...
Just glancing at the code, it does not look like it supports unix sockets. but it would be pretty easy to tweak the curl config in http.c to support it:...
PR for implementing unix socket support here: https://github.com/open-policy-agent/contrib/pull/89
Between that PR, and controlling the permissions on the parent directory the socket is in, access to OPA can be restricted to root on the same host. It works for...