HarshMehta112 opened a new pull request, #6679:
URL: https://github.com/apache/camel-k/pull/6679
Fixes #6676
## Summary
Adds an operator-level allow list to restrict which node-selector label
keys CR authors can
set via the `builder.nodeSelector` trait, preventing unauthorized node
targeting in shared
clusters.
**How it works:**
Set `BUILDER_NODE_SELECTOR_ALLOWED_LABELS` on the operator deployment to a
comma-separated
list of permitted label keys:
BUILDER_NODE_SELECTOR_ALLOWED_LABELS=kubernetes.io/hostname,topology.kubernetes.io/zone
- When unset or empty → all keys accepted (backward compatible, no
behavior change)
- When set → only listed keys pass through; unlisted keys are dropped and
logged at info level
## Changes
- `pkg/platform/env_platform.go` — new `BuilderNodeSelectorAllowList()`
reads and parses the env var
- `pkg/trait/builder.go` — `filterNodeSelector()` applies the allow list
in `Apply()` instead of assigning `t.NodeSelector` directly
- `pkg/platform/env_platform_test.go` / `pkg/trait/builder_test.go` — unit
tests including nil, empty, partial, full-match, and all-keys-dropped cases
- `docs/modules/ROOT/pages/installation/builds.adoc` —
`BUILDER_NODE_SELECTOR_ALLOWED_LABELS` added to build env var table
- `docs/modules/traits/pages/builder.adoc` — NOTE block added to Node
Selectors section with xref to builds config docs
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
