Skip to content

Introduce new full-safe profile with a default resource deny list #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Introduce new full-safe profile with a default resource deny list #134

wants to merge 1 commit into from

Conversation

@ardaguclu
Copy link
Member

@ardaguclu ardaguclu commented Jun 19, 2025

After the #133 has merged, we'll have an option to deny operations for some resources.

This PR introduces new profile, namely full-safe that brings in with a set of resources that will be denied. Additionally, this profile will not serve a tool for viewing kubeconfig.

There won't be any change in default behaviors.

@ardaguclu
Copy link
Member Author

ardaguclu commented Jun 20, 2025

@manusa what is your opinion about this one?.

@manusa
Copy link
Member

manusa commented Jun 20, 2025

@manusa what is your opinion about this one?.

Sorry for the late reply, it's been an intense morning.
It looks good.
My only doubt is about the name plus if this is aligned with @mrunalp expectations.

Since the changes are very isolated, I think we can hold it until he checks it out, I want to merge the dependabot PRs and maybe cut a release today.

@ardaguclu
Copy link
Member Author

ardaguclu commented Jun 20, 2025

@mrunalp could you please have a look at and drop your thoughts?.

@ardaguclu ardaguclu force-pushed the full-safe-profile branch from 56d1d18 to 922da8d Compare June 20, 2025 12:26
@ardaguclu ardaguclu mentioned this pull request Jun 30, 2025
Closed
@ardaguclu
Copy link
Member Author

ardaguclu commented Jul 1, 2025

This PR needs to be updated based on the latest changes.
/hold

@ardaguclu
Copy link
Member Author

ardaguclu commented Jul 2, 2025

I think, we don't need another profile (i.e. full-safe) any more, after the latest changes in the code base.

Explicitly passing this configuration via --config flag satisfies what new profile tries to achieve;

denied_resources = [
    {group = "apps", version = "v1", kind = "ServiceAccount"},
    {group = "apps", version = "v1", kind = "Secret"},
    {group = "rbac.authorization.k8s.io", version = "v1"}
]

disabled_tools = ["configuration_view"]

So that I'm closing this PR.

@ardaguclu ardaguclu closed this Jul 2, 2025
@ardaguclu ardaguclu deleted the full-safe-profile branch July 2, 2025 05:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ardaguclu @manusa