policy exceptions #33
Conversation
Eileen-Yu
changed the title
|
Hi @Eileen-Yu , please complete the DCO sign-off for this and all future commits as required by CNCF. |
JimBugwadia
changed the title
Eileen-Yu
force-pushed
the
main
branch
5 times, most recently
from
75e221c
to
397372a
Compare
|
Since the KDP has been updated, mark all outdated comments as resolved. |
Eileen-Yu
force-pushed
the
main
branch
4 times, most recently
from
91996e2
to
7b772a3
Compare
|
@JimBugwadia @Eileen-Yu it looks to me that this KDP introduces two different concepts:
The first concept does not need to know about the second, to make it work we just a new CRD ( The second concept is more an organisational concept, like different populations with different responsibilities (devs can create policy exception requests, ops can review the requests and approve/reject them). In my opinion, the first concept needs to be in core kyverno while the second concept should come on top of it, it could even be totally separated from the kyverno repository (different controller, different CRDs, different chart, etc...). If an organisation wants to manage the creation of policy exception workflows entirely differently he should be able to do it. As we are talking about GitOps here, a very simple approach to manage the request/approval would be to use a separate git repo to policy exceptions and only ops can validate pull requests (this has the benefits of keeping history in git and so on). WDYT ? |
|
@eddycharly we had started with a scheme like that but it seemed to lead to synchronous workflows. It would be nice to simply have a PolicyException object and defer the approval lifecycle to external tools. However this requires that the PolicyException resource be secured and handled with care. Which implies that developers cannot create asynchronously, as part of their workloads. One idea was to require signed exceptions as a protection mechanism - but that creates coupling to the YAML signing capabilities. Perhaps we can capture this as an alternate design and discuss further. |
Kyverno should only read I mean, not every organisation is going to need to this request/approval mechanism, this makes sense to me that it is not coupled with core kyverno. Most of the time developers have limited permissions on a cluster, and if Argocd is used for example that's very easy to enforce permissions at argocd level too. I find With this design it requires an Admin to create the approval when a request is made which is not what all users will want/need. It makes sense for some not for all, we should design that can adapt to different use cases while not restricting others ones IMHO. |
|
@eddycharly - in this alternate approach, are you proposing 2 CRs for Kyverno (a request and a response) or one (an externally approved exception)? |
|
@JimBugwadia from the kyverno POV only one The request/approval mechanism is separate and eventually, when a request is approved this will create the corresponding |
|
@eddycharly - this would certainly simplify the design. However, this may not fully meet the initial request kyverno/kyverno#2627 - or at least seems to convert part of the requirements to something the user needs to solve outside of Kyverno. Perhaps a way to address would be to:
|
Eileen-Yu
force-pushed
the
main
branch
2 times, most recently
from
165374e
to
9d93c82
Compare
|
Following up from a Slack thread, just a brief comment about use cases for this feature. This is intentionally short, happy to expand or join a call to elaborate if needed. I think this concept is great, and the right direction to be able to accommodate complex automation alongside Kyverno. There are some use cases, however, which I anticipate will be desired but not met by this design, or at least I haven't worked out exactly what the intended workflow would be. Things like:
Suggestions:
I might have missed something as I'm very much still trying to wrap my head around exceptions in a post-PSP, out-of-tree world. Happy to chat and expand more if needed. Thanks for such a great project! |
|
Hi @stone-z - thanks for the review and feedback! Some thoughts and questions below:
Are you using the new When excluding images from PSS controls, it seems like its best to be fine grained and exclude an image for a specific control. The What would be the benefit of managing the image & control pairs externally vs directly in the policy?
This should be possible. @Eileen-Yu - can you please share the sample for excluding a Deployment and the pods it controls? |
Signed-off-by: Eileen <eileenylj@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Eileen <eileenylj@gmail.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Eileen <eileenylj@gmail.com>
Signed-off-by: Eileen <eileenylj@gmail.com>
Eileen-Yu
force-pushed
the
main
branch
2 times, most recently
from
1247c42
to
b270b07
Compare
Signed-off-by: Eileen <eileenylj@gmail.com>
|
Hi @stone-z Thx for your feedback! For the second use case you mentioned,
Considering on the case of autogen, we would introduce some best practices for the users to specify exceptions. ---
apiVersion: kyverno.io/v2alpha1
kind: PolicyException
metadata:
name: bypass-test-deployment
namespace: kyverno
spec:
exceptions:
- policyName: require-labels
ruleNames:
- check-for-labels
- autogen-check-for-labels
match:
any:
- resources:
kinds:
- Deployment
names:
- nginx
namespaces:
- default
- resources:
kinds:
- Pod
namespaces:
- default
selector:
matchLabels:
app: nginx |
Signed-off-by: Eileen eileenylj@gmail.com
This KDP aims to address:
PolicyExceptionRequestandPolicyExceptionApprovalskyverno#2627Preview: