Aporeto allowing connections to protected pods during pod initialization

[mitovskaol]

We have observed an unexpected behaviour with Aporeto on the platform - when a pod gets started, there is a delay before the enforcers recognize it as a processing unit and enforce an NSP on it.

The suggested fix is to use a custom resource definition PodInjectorSelector - to add an init container to all pods that need security setup before starting as described here.

Might need to have a playbook(?) that would populate all Platform pods with the PodInjectorSelector CR.

[mitovskaol]

Update from Aporeto on Feb 23, 2020

marcus.aporeto
2:52 PM
as an fyi on the init container: moving forward, by July there will be no CR anymore for the init container, it will be injected for every pod by default ... OpenShift issues/difficulties will obviously be taken care of by then, so that the injection always works ... that's in general the goal here: it should just work always ... in the longer run (by the end of the year) the init container might even potentially be superfluous

[mitovskaol]

Decision item as of Feb 20, 2020:
We will use the CR fix as a temporary fix for OCP 3.11 and will switch to Host Protection in OCP 4.