-
Notifications
You must be signed in to change notification settings - Fork 437
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users want a fully declarative policy mechanism #2014
Comments
@kflynn Just to clarify, are you stating that the current policy attachment model is not declarative? If so, it would be helpful if you could describe the gaps you're seeing. |
Personally, the Policy attach should be on the Parent side, not on the Policy side. (regardless of the title) |
Not sure I understand the goals - all CRDs are 'declarative'. The fundamental problem with policies is IMO access control ( to control who is allowed to apply policies) and mutual consent if namespaces boundaries are crossed. I don't think we have any major problem here. I mentioned before: the biggest missing piece (IMO) is a mechanism to identify 'critical' policies vs 'optional' policies. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
This should've been long since closed. |
Managing policy is challenging. By definition, it's such a large, open-ended problem space that we cannot fully specify all possible policies. This means that must create extension mechanisms, which are in turn affected by the existing constraints on Kubernetes API design.
At the same time though, we need to ensure any mechanism we add for policy is broadly and easily usable by end users, and we should be willing to inconvenience implementers in order to gain clarity and usability for users. A critical aspect here is that we need to make sure that policy mechanisms fit into the fully-declarative model on which Kubernetes is built; policy mechanisms that don't line up with that model will cause a lot of usability headaches for anyone trying to use them.
The text was updated successfully, but these errors were encountered: