github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #46264 from Q-Lee/annotate

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)

Add annotation for image policy webhook fail open.

**What this PR does / why we need it**: there's no good way to audit log if binary verification fails open. Adding an annotation can solve that, and provide a useful tool to audit [non-malicious] containers.

**Release note**: add the annotation "alpha.image-policy.k8s.io/failed-open=true" to pods created when the image policy webhook fails open.

```release-note
Add the `alpha.image-policy.k8s.io/failed-open=true` annotation when the image policy webhook encounters an error and fails open.
```
This commit is contained in:
Kubernetes Submit Queue
2017-06-03 21:16:43 -07:00
committed by GitHub
parent 54994b1ecc a38c2b4ce1
commit 09702160b0
5 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/v1/annotation_key_constants.go
View File

@@ -19,6 +19,10 @@ limitations under the License.
package v1
const (
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
// webhook backend fails.
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"