Add a proposal for introducing the ValidatingPolicy #66
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MariamFahmy98
force-pushed
the
new-policy-types
branch
5 times, most recently
from
84a9486 to
a1e660f
Compare
MariamFahmy98
force-pushed
the
new-policy-types
branch
from
a1e660f to
2f96614
Compare
Signed-off-by: Mariam Fahmy <[email protected]>
MariamFahmy98
force-pushed
the
new-policy-types
branch
from
2f96614 to
f05708c
Compare
Signed-off-by: Khaled Emara <[email protected]>
24 tasks
realshuting
reviewed
Jan 6, 2025
There was a problem hiding this comment.
This is great @MariamFahmy98 @KhaledEmaraDev ! Left a few comments below.
|
|
||
| While ValidatingAdmissionPolicies and MutatingAdmissionPolicies offer robust features, they fall short in addressing several critical use cases for Policy-as-Code. Below are the limitations and opportunities for improvement: | ||
|
|
||
| 1. Data Lookups: The built-in policies cannot perform data lookups from the API server or external API endpoints. |
There was a problem hiding this comment.
...from the API server...
Is this still true?
|
|
||
| #### Any/All Resource Filters | ||
|
|
||
| Kyverno provides flexible resource matching through the use of `any` and `all` filters. The `any` filter allows you to define multiple resource specifications, where a match occurs if any of the specified conditions are met **(OR logic)**. This means a resource will be matched if it satisfies at least one of the defined criteria. The `all` filter requires all specified conditions to be true for a match **(AND logic)**. This ensures a resource matches only if it satisfies every single criterion. |
There was a problem hiding this comment.
How is this represented in the ValidatingPolicy CRD, is there an example?
proposals/new_policy_types.md
Outdated
|
|
||
| Kubernetes VAPs offer a `spec.matchConditions` field for fine-grained request filtering, similar to Kyverno's `preconditions`. This presents two options: utilize the VAP's matchConditions within the webhook configuration, or handle these conditions internally in the Kyverno engine. | ||
|
|
||
| Furthermore, VAPs offer a matchPolicy field (set to `Exact` or `Equivalent`) that governs how incoming requests are matched against rules. `Exact` requires precise matching, while `Equivalent` allows for matching across different API groups or versions. |
There was a problem hiding this comment.
Suggested change
| Furthermore, VAPs offer a matchPolicy field (set to `Exact` or `Equivalent`) that governs how incoming requests are matched against rules. `Exact` requires precise matching, while `Equivalent` allows for matching across different API groups or versions. | |
| Furthermore, VAPs offer a `matchPolicy` field (set to `Exact` or `Equivalent`) that governs how incoming requests are matched against rules. `Exact` requires precise matching, while `Equivalent` allows for matching across different API groups or versions. |
proposals/new_policy_types.md
Outdated
|
|
||
| 1. `ruleNames`: This field is unnecessary, as ValidatingPolicies don't employ the concept of rules. This field should be removed from the PolicyException spec. | ||
|
|
||
| 2. `match`: This field filters resources based on Kind. However, ValidatingPolicies utilize `matchConstraints` based on API groups, versions, operations, and resources. Therefore, the PolicyException's match field must be replaced with a matchConstraints field to align with this mechanism. |
There was a problem hiding this comment.
Suggested change
| 2. `match`: This field filters resources based on Kind. However, ValidatingPolicies utilize `matchConstraints` based on API groups, versions, operations, and resources. Therefore, the PolicyException's match field must be replaced with a matchConstraints field to align with this mechanism. | |
| 2. `match`: This field filters resources based on Kind. However, ValidatingPolicies utilize `matchConstraints` based on API groups, versions, operations, and resources. Therefore, the PolicyException's match field must be replaced with a `matchConstraints` field to align with this mechanism. |
proposals/new_policy_types.md
Outdated
| object.metadata.labels.app == 'busybox' | ||
| ``` | ||
|
|
||
| How can we generate Kubernetes ValidatingAdmissionPolicies based on Kyverno's ValidatingPolicy and PolicyException CRDs? |
There was a problem hiding this comment.
Can we leverage webhook match conditions for exclusions?
Signed-off-by: ShutingZhao <[email protected]>
realshuting
reviewed
Jan 7, 2025
proposals/new_policy_types.md
Outdated
Comment on lines
471
to
475
| Kubernetes VAPs offer a `spec.matchConditions` field for fine-grained request filtering, similar to Kyverno's `preconditions`. This presents two options: utilize the VAP's matchConditions within the webhook configuration, or handle these conditions internally in the Kyverno engine. | ||
|
|
||
| Furthermore, VAPs offer a matchPolicy field (set to `Exact` or `Equivalent`) that governs how incoming requests are matched against rules. `Exact` requires precise matching, while `Equivalent` allows for matching across different API groups or versions. | ||
|
|
||
| To maintain consistency and offer similar flexibility, the `ValidatingPolicy` CRD should introduce a `matchPolicy` field too. This presents two options: utilize this field within the webhook configuration, or handle it internally in the Kyverno engine. |
There was a problem hiding this comment.
In this proposal, a webhookConfiguration is added to the validatingpolicy.spec. Both matchConditions and matchPolicy are available for webhook configuraiton.
feat: add webhook registration details for new CRD
MariamFahmy98
force-pushed
the
new-policy-types
branch
from
a1c7754 to
077ee71
Compare
Signed-off-by: Mariam Fahmy <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a proposal to introduce ValidatingPolicy