cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Should be worrying about ephemeral containers

Open vaikas opened this issue 3 years ago • 5 comments

Question While I was looking at the #809 thought about how we might want to handle ephemeral containers. Just wanted to jot this down and see what folks thought about this. Seems like something to at least think about.

https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/

vaikas avatar Sep 28 '21 23:09 vaikas

hello @vaikas, this is an interesting case nice !! I found this, it might be useful for us: 👉 https://github.com/kubernetes/kubernetes/issues/92557

developer-guy avatar Sep 29 '21 07:09 developer-guy

Yes!

dlorenc avatar Sep 29 '21 15:09 dlorenc

Hello, kindly ping here 🙋🏻‍♂️ We can use ephemeral containers sub resource definition in the rules section of Validating/MutatingWebhookConfiguration as follows 👇

rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    - UPDATE
    - DELETE
    resources:
    - pods/ephemeralcontainers

developer-guy avatar Jan 31 '22 09:01 developer-guy

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Sep 11 '22 02:09 github-actions[bot]

We should add these in to the list that we care about, utilizing this: https://github.com/knative/pkg/pull/2547

Of course, we also need to validate them in the actual webhook.

vaikas avatar Sep 11 '22 23:09 vaikas

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar Nov 11 '22 02:11 github-actions[bot]

Closing this issue! Yes, we have to worry about ephemeral containers. We also added support for those in the sigstore/policy-controller.

hectorj2f avatar Nov 11 '22 08:11 hectorj2f