-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policy Exemptions For Packages Like Rook-Ceph #272
Comments
Pre Core Policy Exemption ProposalBest (?) SolutionsPublish separate CRD package:use in the bundle like so: kind: UDSBundle
metadata:
name: user-bundle
packages:
- name: exemption-crd
- name: custom-init
- name: core pros:
downsides:
Make a mini exemption package to deploy after core:use in the bundle like so: kind: UDSBundle
metadata:
name: user-bundle
packages:
- name: custom-init
- name: core
- name: exemption pros:
downsides:
Allow custom exemptions via values passed to uds-core:use in the bundle like so: kind: UDSBundle
metadata:
name: user-bundle
packages:
- name: custom-init
- name: core
overrides:
uds:
uds:
- name: EXEMPTION
path: exemptions and then in uds-config.yaml: options:
architecture: amd64
variables:
core:
exemptions: |
- policies:
- ...policies
matcher:
namespace: ""
name: ""
title: ""
description: "" pros:
downsides:
Current LeaningsWe're leaning toward option 1 -- publish separate CRD package -- if testing bears out that there's no catastrophic upgrade issues. But of course we want to know what users of core would find to be a better experience. Other ContextReasons for rejecting other ideas:
|
testing the CRD package so far has been successful. Manual tests:
|
I lost track of this. We are still needing a solution. After digging through this and the PR, I don't think this helps us with the rook-ceph specific issues as there are no exemptions for things like hostPath volumes. We currently have a package that creates exemptions that we deploy post core install which sounds like our option 2? The main issue is the lack of exemption support for things that rook-ceph needs. |
@anthonywendt just to check, are you seeing any specific policies you can't exempt? I just checked and we have exemptions for everything possible as far as I can tell. Ref: https://github.com/defenseunicorns/uds-core/tree/main/src/pepr/policies - |
Yeah as you pointed out to me, the regex in our matcher for our exemption we are using wouldn't catch everything we wanted. I think we may be good once we update our exemption appropriately but I will test to verify. |
Is your feature request related to a problem? Please describe.
We have a custom zarf init package that deploys rook-ceph and then initializes zarf. If we then deploy uds-core on top of that we can no longer upgrade rook-ceph because pepr will block the recreation of the rook-ceph resources. There are no exemptions or mechanisms currently available to allow rook-ceph to deploy successfully on an upgrade.
We need to be able to exempt the policies being enforced in the screenshot below. There were talks on different ways to solve this problem. I will list some of that below in the alternative section.
Describe the solution you'd like
Describe alternatives you've considered
-- We could allow specific flags that generate exemptions for “rook mode” “eks mods” “Jeff’s an idiot mode” And those would generate the requisite exemptions
Additional context
This is blocking the ability to provide bundle upgrades that include rook-ceph upgrades.
The text was updated successfully, but these errors were encountered: