This repository was archived by the owner on Jul 11, 2023. It is now read-only.
injector: enforce using configured images #4131
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change enforces that images configured by the user or install time defaults are always used at the time of sidecar injection. Previously, default images were encoded in the configurator which posed a security risk of not using configured images in case those values are unavailable in MeshConfig and the user overrides the defaults. It's common practice for users to use their own images from secure registries of their choice, so OSM must enforce that. This problem is made worse by the fact that OSM could silently use defaults that the user is unaware of without raising any warnings or approval from the user, which can compromise their security requirements. This change is also required to address openservicemesh#3715 where default image digests will be encoded in the CLI as a part of the release workflow without needing to rebuild the control plane binaries. Signed-off-by: Shashank Ram <[email protected]>
nojnhuh
approved these changes
Sep 17, 2021
Codecov Report
@@ Coverage Diff @@
## main #4131 +/- ##
==========================================
+ Coverage 68.78% 68.83% +0.04%
==========================================
Files 210 210
Lines 11406 11408 +2
==========================================
+ Hits 7846 7853 +7
+ Misses 3508 3503 -5
Partials 52 52
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
snehachhabria
approved these changes
Sep 17, 2021
|
All jobs except for the |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This change enforces that images configured by
the user or install time defaults are always
used at the time of sidecar injection.
Previously, default images were encoded in the
configurator which posed a security risk of
not using configured images in case those
values are unavailable in MeshConfig and the user
overrides the defaults. It's common practice for
users to use their own images from secure registries
of their choice, so OSM must enforce that. This problem
is made worse by the fact that OSM could silently use
defaults that the user is unaware of without raising
any warnings or approval from the user, which can
compromise their security requirements.
This change is also required to address #3715 where
default image digests will be encoded in the CLI
as a part of the release workflow without needing
to rebuild the control plane binaries.
Testing done:
Verified that configured images are always used.
Affected area:
Please answer the following questions with yes/no.
Does this change contain code from or inspired by another project?
noIs this a breaking change?
no