You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using a managed version of service mesh in GKE, Anthos Service Mesh. The managed service mesh injects envoy sidecars and references the containers by tag, not with a sha. The result of mutating the sha on the sidecar is that ASM cannot determine what version is installed and chaos ensues.
Is there a way to disable mutation for a container, or set of containers. for example gcr.io/releases/asm*
I only want to skip this mutation for theses sidecars. Not for the main container, which is signed and delivered with a sha
I can't find any examples of how to set this in the cluster policy or mutating webhook config.
The text was updated successfully, but these errors were encountered:
@BitRacer I wouldn't recommend to disable the mutation for a container. In addition to that, I won't recommend it as a security best practice consists on relying on digests instead of tags.
I'm using a managed version of service mesh in GKE, Anthos Service Mesh. The managed service mesh injects envoy sidecars and references the containers by tag, not with a sha. The result of mutating the sha on the sidecar is that ASM cannot determine what version is installed and chaos ensues.
Is there a way to disable mutation for a container, or set of containers. for example gcr.io/releases/asm*
I only want to skip this mutation for theses sidecars. Not for the main container, which is signed and delivered with a sha
I can't find any examples of how to set this in the cluster policy or mutating webhook config.
The text was updated successfully, but these errors were encountered: