mirror of
https://github.com/kubevela/kubevela.git
synced 2026-05-18 23:38:11 +00:00
566b72b882
Add filterUserMetadata() function to filter out internal/system labels and annotations from policy context, preventing policies from accessing sensitive KubeVela/Kubernetes internal metadata. Implementation: - Uses map-based prefix lookup for O(1) performance - Filters prefixes: app.oam.dev/, oam.dev/, kubectl.kubernetes.io/, kubernetes.io/, k8s.io/, helm.sh/, app.kubernetes.io/ - Optimized for hot path (runs on every reconciliation with policies) - Returns nil for empty results to avoid unnecessary allocations Tests: - Filter internal vs user metadata - Handle empty inputs - Handle keys without prefixes - Verify all internal prefixes are excluded Part of Policy Refactor Plan v3 - Part 1.1: Foundation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>