Add a proposal for generating VAPs given an exception #55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mariam Fahmy <[email protected]>
MariamFahmy98
requested review from
JimBugwadia,
MarcelMue,
fjogeleit,
realshuting,
chipzoller,
eddycharly,
vishal-chdhry and
anushkamittal2001
2 tasks
JimBugwadia
reviewed
Feb 3, 2024
| - expression: "'app' in object.metadata.labels" | ||
| ``` | ||
|
|
||
| However, using a `namespaceSelector` will be applied for both matching and excluding deployemnts. The above VAP matches all deployments whose namespace labels set to `environment: staging`, and it also excludes all deployments named `important-tool` whose namespace labels set to `environment: staging`. It means that matching/excluding resources is done in the same namespace. There is no option to match deployments in all namespaces and exclude some in a specific namespace. |
There was a problem hiding this comment.
@MariamFahmy98 - isn't this the same as what this Kyverno declaration would do?
...
rules:
- name: check-deployment-labels
match:
all:
- resources:
namespaceSelector:
matchLabels:
environments: staging
exclude:
all:
- resources:
name: important-toolThere was a problem hiding this comment.
The corresponding VAP could be something like this:
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
name: "check-deployment-labels"
spec:
failurePolicy: Fail
matchConstraints:
excludeResourceRules:
- apiGroups: ['*']
apiVersions: ['*']
resources: ['*']
resourceNames: ["important-tool"]
namespaceSelector:
matchLabels:
environment: staging
validations:
- expression: "'app' in object.metadata.labels"
But I need to double-check if this is correct.
|
|
||
| - An exception that matches resources based on annotations, subjects, roles, or clusterRoles cannot be converted to VAPs. | ||
|
|
||
| In conclusion, exceptions provide the flexibility to exclude resources that VAPs lack, making it impossible to generate a VAP from an exception. As a result, if an exception is created for a Kyverno policy that uses `validate.cel` subrule, the Kyverno engine will handle the resource validation itself instead of generating the corresponding VAPs. |
There was a problem hiding this comment.
Can we allow use of some subset of exceptions?
There was a problem hiding this comment.
For the following cases, I think a VAP can be generated:
- Matching all resources and excluding a specific one.
- Matching and excluding in the same namespace.
However, there are a lot of limitations and I don't know if it is worth considering this feature.
There was a problem hiding this comment.
Can we clarify the limitations and propose changes to ValidatingAdmissionPolicy resources?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR includes the latest investigation report on the generation of VAP in case of a policy exception.