cluster/admitomatic: implement opt-out namespaces
Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521
Reviewed-by: informatic <informatic@hackerspace.pl>
diff --git a/cluster/admitomatic/ingress.go b/cluster/admitomatic/ingress.go
index 22e9dab..b7bdf91 100644
--- a/cluster/admitomatic/ingress.go
+++ b/cluster/admitomatic/ingress.go
@@ -36,6 +36,10 @@
type ingressFilter struct {
// allowed is a map from namespace to list of domain matchers.
allowed map[string][]*domain
+
+ // anythingGoesNamespaces are namespaces that are opted out of security
+ // checks.
+ anythingGoesNamespaces []string
}
// domain is a matcher for either a single given domain, or a domain wildcard.
@@ -152,6 +156,11 @@
if req.Namespace == "kube-system" {
return result("")
}
+ for _, ns := range i.anythingGoesNamespaces {
+ if ns == req.Namespace {
+ return result("")
+ }
+ }
switch req.Operation {
case "CREATE":