Comments (9)
maxsmythe
commented on May 13, 2024
1
Nice!
One coder quality-of-life thing I'm noticing is that I think the admission framework will calculate the mutation patches for you if you return a modified object, though I may be misremembering.
Which is better might be a matter of taste, but personally I like the idea of not having to worry about accidentally coding incompatible JSON patches and just modifying the inbound object directly.
It's good for us to keep an eye on what people may want to use mutation for, as that will definitely impact its design.
from gatekeeper-library.
maxsmythe
commented on May 13, 2024
1
Yep, the controller-runtime library:
from gatekeeper-library.
maxsmythe
commented on May 13, 2024
Mutating webhooks are likely a ways away as the ability to write them in Rego is harder than initially thought due to the need for recursion (allowing infinite recursion would make Rego turing complete).
In the short term, it is possible to create a validation webhook that rejects the resource if it is missing the required field. This is not as convenient for users in the short term, but does have the advantage that their configuration files more closely match the actual internal state of the system.
from gatekeeper-library.
marshallford
commented on May 13, 2024
For fun, I wrote a minimal mutating webhook for this use case. The webhook closely mimics the functionality found in the PSP admissions controller. This solution isn't perfect for a number of reasons, but it has been helpful.
from gatekeeper-library.
marshallford
commented on May 13, 2024
A framework as in a golang library?
from gatekeeper-library.
marshallford
commented on May 13, 2024
Thanks!
One last question for you since the #kubernetes-users channel on Slack wasn't too helpful:
Any advice for writing a golang k8s webhooks that support both v1beta1 admissionregistration and v1? Is there a helper function that converts between the two? Does listing both versions via the admissionReviewVersions field have any automagical properties that I'm not aware of?
from gatekeeper-library.
maxsmythe
commented on May 13, 2024
To be honest, I'm not sure off the top of my head.
My understanding is that you can specify which version of the review object you want via the *WebhookConfiguration resources.
The version of the review object is embedded in the object itself, so you could inspect the request and deserialize to the appropriate object, but I haven't dug into the differences between the two resources to see if there are any fields that need to be handled differently depending on version.
from gatekeeper-library.
sathieu
commented on May 13, 2024
It looks like library/experimental/mutation/pod-security-policy/allow-privilege-escalation implements this. However, mutations are still experimental and this mutation is too.
from gatekeeper-library.
stale
commented on May 13, 2024
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- poddisruptionbudget constraint template query HOT 1
- gatekeeper and PSS HOT 4
- Extend PodDisruptionPolicy to Include MinAvailable and MaxAvailable Percentages HOT 1
- Migrate require-sync CI to future gatekeeper 3.13 requires-sync-data unmarshal function
- Apply constraints for immutable fields only to CREATE operations HOT 10
- enforcementAction: deny is not respected when creating/changing to an incorrect PDB HOT 1
- Update Privileged Container Policy HOT 3
- Host networking constraint template does not respect exempt images HOT 2
- Refresh the content in Artifact-hub whenever any of the files within the policy are modified HOT 2
- docs: explicitly call out samples are provided as an example
- add cel-based policies HOT 4
- Match everything in a constraint HOT 2
- Docs exclude kind: AdmissionReview
- Problem with creating a mutation for deployments HOT 4
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.