You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR adds flags --agent-namespaces-mode=[active|passive] and --agent-objects-mode=[active|passive] to zarf init command. By default, both are set to active. When using either of them to passive, MutatingWebhookConfiguration will be deployed with rules that enforce namespaces/objects to be labeled with zarf.dev/agent: mutate, or else the images won't be mutated. An exception that was added is zarf namespace, there effectively modes are always active (which enables us deploy there Gitea for instance)
examples:
agent-namespaces-mode=active; agent-objects-mode=active: Current zarf behaviour
agent-namespaces-mode=passive; agent-objects-mode=active: If namespace is labeled with zarf.dev/agent: mutate then like current zarf behaviour on this whole namespace. Otherwise no images are mutated at all. If the pod is labeled with zarf.dev/agent: ignore, then it won't be mutated neither.
agent-namespaces-mode=active; agent-objects-mode=passive: If a pod is labeled with zarf.dev/agent: mutate then image is mutated pod. Otherwise no mutation is applied.
agent-namespaces-mode=passive; agent-objects-mode=passive: Only if both namespace and pod in the namespace are labeled zarf.dev/agent: mutate then image mutation occurs.
Hello @yuvalsimon, really appreciate you making this PR. This is definitely a workflow that I feel Zarf should support. I am curious about your use cases. Could you tell me situations where you tend to use agent-objects-mode=active. Do you tend to only want mutations on certain kinds of resources, for instance, you want to mutate pods, but not Flux Git Repositories? Or is it the case where you want one package mutated in a namespace, but not the other?
From the issue I see that you have kyverno adding this label. I think for the best user experience, we would want these labels to be automatically added to namespaces Helm post-renderer in AdoptZarfManagedLabels. This way any Zarf deployments automatically opt into mutation. Something similar could be done for pods and argo / flux resources. Do you have use cases, where you would not want this behavior?
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
yuvalsimon
force-pushed
the
feature/mutate
branch
from
Description
This PR adds flags
--agent-namespaces-mode=[active|passive]and--agent-objects-mode=[active|passive]tozarf initcommand. By default, both are set to active. When using either of them to passive, MutatingWebhookConfiguration will be deployed with rules that enforce namespaces/objects to be labeled withzarf.dev/agent: mutate, or else the images won't be mutated. An exception that was added is zarf namespace, there effectively modes are always active (which enables us deploy there Gitea for instance)examples:
zarf.dev/agent: mutatethen like current zarf behaviour on this whole namespace. Otherwise no images are mutated at all. If the pod is labeled withzarf.dev/agent: ignore, then it won't be mutated neither.zarf.dev/agent: mutatethen image is mutated pod. Otherwise no mutation is applied.zarf.dev/agent: mutatethen image mutation occurs.Related Issue
Relates to #4419
Checklist before merging