HarshMehta112 opened a new pull request, #6695:
URL: https://github.com/apache/camel-k/pull/6695
## Summary
Adds an operator-level allow list to restrict which taint keys CR authors
can use in
`toleration.taints`, preventing unauthorized node targeting in shared
clusters.
**How it works:**
Set `TOLERATION_TAINTS_ALLOWED_KEYS` on the operator deployment to a
comma-separated
list of permitted taint keys:
TOLERATION_TAINTS_ALLOWED_KEYS=node-role.kubernetes.io/master,disktype
- When unset or empty → all taint keys accepted (backward compatible, no
behavior change)
- When set → each taint entry's key is extracted and checked against the
list; unlisted
taints are dropped and logged at info level before `NewTolerations` is
called
Taint key extraction handles both formats: `key:Effect` (key before `:`)
and
`key=value:Effect` (key before `=`).
## Changes
- `pkg/platform/env_platform.go` — new `TolerationTaintsAllowList()` reads
and parses `TOLERATION_TAINTS_ALLOWED_KEYS` (same comma-split/trim pattern as
the nodeSelector and affinity allow lists)
- `pkg/trait/toleration.go` — `filterTaints()` iterates taints and uses
`taintKey()` helper to extract the key before checking against the allow list;
called at the start of `Apply()` before `NewTolerations`
- `pkg/platform/env_platform_test.go` — 4 tests: not-set, empty, single
key, multiple keys with whitespace trimming
- `pkg/trait/toleration_test.go` — 6 tests: no allow list (pass-through),
partial filter, all allowed, all dropped, key-with-value format
(`key=value:Effect`), end-to-end through `Apply()`
- `docs/modules/ROOT/pages/installation/builds.adoc` —
`TOLERATION_TAINTS_ALLOWED_KEYS` added to build env var table
- `docs/modules/traits/pages/toleration.adoc` — NOTE block added with xref
to builds config docs
## Test plan
- [x] `make test` passes locally
- [x] `TestTolerationTaintsAllowList_*` (platform) — env var parsing
- [x] `TestFilterTaints_*` (trait) — allow list filtering covering both
`key:Effect` and `key=value:Effect` taint formats
- [x] `TestApplyTolerationWithAllowList` — end-to-end through `Apply()`
- [x] Manual: deploy operator with `TOLERATION_TAINTS_ALLOWED_KEYS` set;
apply Integration with a disallowed taint key; verify toleration absent from
pod spec and info log emitted
Fixes #6678
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
