You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
The workshop namespace and session namespace, plus secondary session namespaces explicitly listed in the workshop definition, are protected against secret injection by Carvel secretgen-controller by adding to the namespaces the annotation:
Any namespaces objects created via session.objects and environment.objects do not have this annotation applied.
This means a workshop could create namespaces via the objects list which could serve as an avenue for stealing cluster secrets injected into all namespaces.
Note that this injection is stopped because how secretgen-controller does this is arguably poor security, so Educates blocks it to avoid leaking of sensitive secrets to workshop users.
Describe the solution you'd like
The annotation should be added automatically to any namespaces created via session.objects and environment.objects.
Describe alternatives you've considered
No response
Additional information
No response
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
The workshop namespace and session namespace, plus secondary session namespaces explicitly listed in the workshop definition, are protected against secret injection by Carvel
secretgen-controllerby adding to the namespaces the annotation:Any namespaces objects created via
session.objectsandenvironment.objectsdo not have this annotation applied.This means a workshop could create namespaces via the
objectslist which could serve as an avenue for stealing cluster secrets injected into all namespaces.Note that this injection is stopped because how
secretgen-controllerdoes this is arguably poor security, so Educates blocks it to avoid leaking of sensitive secrets to workshop users.Describe the solution you'd like
The annotation should be added automatically to any namespaces created via
session.objectsandenvironment.objects.Describe alternatives you've considered
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: