Comments (6)
@dgr237 As far as I know, SyncSets (referential validations) are only available with the policies using rego. @ritazh @maxsmythe Please correct me if I am wrong here.
from gatekeeper.
@JaydipGabani Thanks for confirming. This is what I suspected. Is this something which is on the roadmap?
from gatekeeper.
@dgr237 I am not sure if CEL is capable of handling such kind of complex logic to begin with. @maxsmythe @ritazh would be able to better answer about the roadmap for k8snativevalidation.
from gatekeeper.
CEL should syntactically be able to handle referential data. A straw man example might be:
dataCache.List({
"kind": "Pod"
}).all(pod, pod.metadata.name != object.metadata.name)
Where the above is listing all pods and making sure they don't have the same name as the inbound object.
A few caveats:
- This is a rough sketch of what might be possible -- more design would be needed for a serious effort
- We probably would not do this with the K8s native CEL engine. Since that is intended to be able to generate VAP resources to handle admission enforcement, we should avoid supporting features VAP will not support (like referential constraints). Of course, nothing prevents us from using CEL in a different engine that is less coupled to VAP, which would unblock support here.
- This is something that can likely be done, but is a non-trivial amount of work. I'd definitely like signal from users to help indicate priority here, if this is a thing people would want to see.
Last design consideration: this cache should be one that can be shared across all engines (including Rego). This will help to avoid excess RAM usage.
from gatekeeper.
@dgr237 thanks for raising this.
I was looking to use the K8sNativeValidation rules rather than rego
I'm curious, can you please share why you did not want to rego since it already supports referential policies quite well?
from gatekeeper.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper.
Related Issues (20)
- Add --exclude to gator CLI HOT 1
- doc: how to exclude sidecar images in policies HOT 1
- CRDs selector HOT 2
- No warning displayed on kubectl apply with enforcementAction warn HOT 4
- Course aggregation of request duration metrics HOT 2
- Add: app.kubernetes.io/name label to the Deployment object HOT 2
- Migrate psp Templates. HOT 2
- Add a flag for GK validating webhook to defer to vap
- admission webhook "validation.gatekeeper.sh" denied the request HOT 2
- publish images with microarch levels HOT 1
- gatekeeper-controller logs do not display HOT 1
- Metric names mismatch: `*_count` in document, `*_count_total` in actual behavior HOT 1
- OOMKilled as number of constraints grew HOT 3
- doc: Add a page to include all flag information in one place
- New example for location value when using complex Labels
- 404 Helm chart repo not found HOT 4
- Pass additional info in the mutation request to external data provider HOT 1
- Interpolation in mutation hooks for namespace or other parameters HOT 1
- Upgrade Gatekeeper to use Debian 12 Distroless HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.