fix: Add default exclusions for GitOps tool annotations#809
Merged
Conversation
SgtCoDFish
reviewed
May 26, 2026
SgtCoDFish
requested changes
May 26, 2026
Contributor
SgtCoDFish
left a comment
SgtCoDFish
left a comment
There was a problem hiding this comment.
This is what I'd expect the fix to look like 👍
I think we're definitely missing a description for this PR though - doesn't have to be super detailed (and it shouldn't contain any internal information - this repo is public!) but it's worth just adding a note about why this is being done.
kiril-cyberark
changed the title
Contributor
Author
Description and title added |
SgtCoDFish
approved these changes
May 26, 2026
Contributor
SgtCoDFish
left a comment
SgtCoDFish
left a comment
There was a problem hiding this comment.
/lgtm
/approve
Perfect, thank you!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some GitOps tools (kapp, Rancher Fleet, Banzai Cloud) store a full copy of the original manifest in object annotations, which can cause sensitive data (such as Secret values) to be inadvertently included in data pushed to the platform. This change adds those annotation keys to the default exclusion list so they are stripped from all Kubernetes objects before being sent upstream.