Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deny list for containers to limit which containers in the application are not bound #163

Open
baijum opened this issue Jun 12, 2021 · 1 comment
Open

Deny list for containers to limit which containers in the application are not bound #163

baijum opened this issue Jun 12, 2021 · 1 comment
Milestone
core/post-GA

Comments

@baijum
Copy link
Contributor

baijum commented Jun 12, 2021

The current spec supports an allow-list for containers to limit which containers in the application are bound.
Sometimes a deny-list for containers would be more appropriate. The deny-list would limit which containers in the application are not bound. The allow-list could be mutually exclusive with the deny-list (only one of them exist). I propose to add .spec.application.skipContainers field to specify the deny-list for containers.

This can be added post 1.0 release in a backward-compatible way.
@scothis
Copy link
Contributor

scothis commented Jul 14, 2021

What if we use the existing containers array, but allow container names to start with ! to negate the selection?

I'd generally discourage deny lists for security related tasks, but there are times when it's the pragmatic approach.

@nebhale nebhale added this to the core/post-GA milestone Sep 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
core/post-GA
Development

No branches or pull requests
3 participants
@nebhale @baijum @scothis