New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support manifest variable substitution $(...) in validate message field #1506
Comments
Variable expansion is supported in the message field as demonstrated here, but it may not be supported on manifest lookups. Can you supply your full policy, please? |
Sure:
|
Yes, it does appear the |
Thx for checking. This is an early look at kyverno as an alternative to OPA Gatekeeper. I believe our K8s Platform team would find it much easier to maintain policy and compliance. This seems like a reasonable use-case. Would you advise I raise this as a feature request if the currently observed behaviour is confirmed ? |
A couple comments.
|
iro (1): Yes I had considered that. My initial reaction was that since the data that I needed was already present in the policy definition, I would prefer not to have to maintain it in a separate resource and have to manage its life-cycle also. I suppose that would work if I could also use the ConfigMap as the source for the image value in the pattern as well as in the message (I haven't tried that - but I will now that you have mentioned it). I think in the general case it would be useful to be able to use a manifest lookup in a message field, so I think the use-case remains. iro: (2): Ok, thanks |
Yes, agree, this seems like either a gap or a bug. You should have the choice of where to store and retrieve your allowed registries whether that be in the policy definition itself or an external ConfigMap. |
I suppose another potential downside of using a ConfigMap here is that they are namespace scoped and in this case I am using a cluster scoped policy (whilst replicating the ConfigMap to all namespaces (and all clusters) is not that big a deal, I would prefer not to have to). |
That shouldn't be a concern as Kyverno has the ability to reference a ConfigMap anywhere by defining a |
Ah, thats cool. I really like this product :-) |
That said, managing one resource is simpler than managing two. And so for that reason, it should be entirely possible to confine all your configurations in the ClusterPolicy. |
+1 |
I can confirm this is not supported in |
We need to handle inline variables everywhere JMESPath variables are supported. Ideally we can combine the substitution logic. |
…st pattern/overlay
I'm testing my fix right now and I found next test failing. ---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: substitute-variable
spec:
rules:
- name: test-path-not-exist
match:
resources:
kinds:
- Deployment
validate:
anyPattern:
- spec:
template:
spec:
containers:
- name: "{{request.object.metadata.name1}}*"
- spec:
template:
spec:
containers:
- name: "{{request.object.metadata.name}}*" Resource: ---
apiVersion: v1
kind: Deployment
metadata:
name: test
spec:
template:
spec:
containers:
- name: test-pod
image: nginxinc/nginx-unprivileged Validation here fails because I have changed variable/reference substitution logic. Now substitution is done for entire rule at once instead of just pattern/anyPattern/overlay. In this case validation fails even before actually validation process begun, because of substitution failure. Should I leave this logic? Or should it be as earlier? |
…st pattern/overlay
I left new logic when variable substitution has higher priority. It is mostly like code compilation and we throw compilation error, if var is unbound. I will create a PR soon. |
…st pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net>
…st pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net>
Status: issue is fixed, waiting for review and testing |
Bug Fix: #1506 issue; Resolve path reference in entire rule
Kubernetes version:
Kyverno version:
Can someone confirm whether this is possible or not, or if I am not implementing it correctly, please (perhaps variable substitution is not supported in message fields ?)
Example: A policy to validate image registries - should return which registries are allowed in the message.
Validation rule: (note the message with the manifest reference)
Expected Behaviour (on fail of the policy condition):
Actual Behaviour:
Regards
Fraser
The text was updated successfully, but these errors were encountered: