Merge pull request #9150 from zalando-incubator/admission-control/allow-routesrv-access

AlexanderYastrebov · web-flow · commit 5f04745c56fd · 2025-03-27T14:41:37.000+01:00
admission-control: allow routesrv proxy
diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml
@@ -575,6 +575,16 @@ webhooks:
             object.kind == "ConfigMap" &&
             object.metadata.name == "skipper-default-filters"
           )
+      - name: 'allow-routesrv-routes-access'
+        expression: |
+          !(
+            "okta:common/engineer" in request.userInfo.groups &&
+            request.name == "skipper-ingress-routesrv" &&
+            request.resource.resource == "services" &&
+            request.subResource == "proxy" &&
+            request.operation == "CONNECT"
+          )
+
   - name: collaborator-deny-admitter.teapot.zalan.do
     clientConfig:
       {{- if eq .Cluster.Provider "zalando-eks"}}
