admission-control

This is a minor maintenance release that updates the Kubernetes API libraries to v0.19.1.

CHANGELOG

• deps: update to k8s API v0.19.1 (#28) @elithrar

Update k8s API dependencies to v0.19.1.

CHANGELOG

• deps: update to k8s API v0.19.1 (#26) @elithrar

A minor, maintenance release that updates k8s APIs to v0.18.8. Tests for Go 1.14 and Go 1.15 have been added, and Go 1.12 has been removed from support.

CHANGELOG

• deps: update to k8s-api-v0.18.8; add Go 1.14, 1.15 (#25)

v0.6.4 is a minor maintenance release that updates the Kubernetes libraries (to v0.18.2) & other upstream dependencies.

⚠️ Note: Go 1.12 is no longer supported, as Kubernetes libraries as of v0.18.2 use the errors API introduced in Go 1.13.

CHANGELOG

• deps: update to k8s API v0.18.2 (#23) @elithrar
• docs: better intro in README (#22) @elithrar

v0.6.3 is a minor maintenance release that updates the Kubernetes libraries & other upstream dependencies.

CHANGELOG

• deps: upgrade to deps. k8s.io/api + /apimachinery v0.17.3 (#21) @elithrar
• Dependency Updates (#19) @elithrar
• Use xerrors + parallelize tests + build against Go v1.13 (#18) @elithrar
• Cloud Run support (docs, example server, Dockerfile) (#16) @elithrar

Notable Changes

This release brings a new EnforcePodAnnotations AdmitFunc for enforcing a set of annotations (and validating their values) on admitted Pods.

The AdmitFunc takes a map[string]func(string) bool of required annotations, which allows you to dynamically validate annotation values (e.g. DNS names, JSON schemas, etc.) during admission - where string is the current value and the returned bool determines whether the value is acceptable or not.

EnforcePodAnnotations can inspect Pods, Deployments, StatefulSets, DaemonSets & Jobs, as these all create Pods.

CHANGELOG

• EnforcePodAnnotations (#13) @elithrar

This is a minor bugfix release that addresses DenyIngresses not respecting the provided list of ignoredNamespaces - i.e. the admission controller would apply to all namespaces.

CHANGELOG

• bugfix: DenyIngress not ignoring whitelisted namespaces (#11) @elithrar
• docs: Fix AdmitFunc godoc (#12) @elithrar

Breaking Changes

• The DenyPublicServices handler has been broken into distinct DenyPublicLoadBalancers and DenyIngresses handlers, to allow better composability and finer-grained admission control.

⚠ Note: Users should expect a few breaking changes on the road to v1.0, and pin at a specific version. Versioning will follow SemVer, in that the v0.X.y series can "break" an API by incrementing "X". API changes won't be made lightly, and will be documented in release notes.

Notable Changes

• The *AdmissionServer.Run method will listen on a non-TLS (e.g. plaintext HTTP) port if a *tls.Config is not provided, to support running in reverse proxy and/or serverless environments where TLS is terminated downstream from the application.
• Example Kubernetes manifests have moved into /samples, as per convention
• The provided webhook server, admissiond, now lives at examples/cmd/admissiond, to better clarify that it is an example only.
• General improvements to the setup section of the README

CHANGELOG

• [breaking] DenyPublicLoadBalancers & DenyIngresses (#10) @elithrar
• DRY the CI config (#6) @elithrar
• Expose a .Run() method & iterate on examples/ & docs. (#5) @elithrar
• Removed extraneous test comments. (#1) @elithrar

Initial release. See the docs on how to get started!