-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pod policies should automatically be applied to pod controllers #518
Comments
A few issues to be addressed:
|
@realshuting - my thoughts:
|
|
@shivdudhani @JimBugwadia
For scenario 1, as the pod controller will be blocked immediately during deploy, we don't need to report the violation on resource owner anymore #387, related code can be removed, for the creation as well as the cleanup. Also, related fields in violation CRD should be marked as deprecated and removed eventually. The user could enable/disable this feature by setting the annotations in the validate rule. By default, this feature is enabled and the additional rule will be generated on all pod controllers.
Take the following example, a rule on deployment and job will be generated for the rule apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-default-namespace
annotations:
policies.kyverno.io/podcontroller.list: deployment,job,statefuleset
spec:
rules:
- name: validate-namespace
match:
resources:
kinds:
- Pod
validate:
message: "Using 'default' namespace is not allowed"
pattern:
metadata:
annotations:
policies.kyverno.io/podcontroller.generate: true
policies.kyverno.io/podcontroller.list: deployment,job
namespace: "!default"
- name: require-namespace
match:
resources:
kinds:
- Pod
validate:
message: "A namespace is required"
pattern:
metadata:
namespace: "?*" |
@realshuting - sounds good overall. Can we combine the annotation into 1? The user can disable using: policies.kyverno.io/podcontroller.generate: "none" or: policies.kyverno.io/podcontroller.generate: "" The user can specify which controllers to generate using: policies.kyverno.io/podcontroller.generate: "jobs,statefulset" The default will be: policies.kyverno.io/podcontroller.generate: "all" |
Some queries: Also if we are running on a setup where the mutating webhook is disabled, then using the mutating webhook will be a limitation? Do we plan to support pod controllers in that scenario? So let's say, I create a policy with rule r1 on Pod. This will create 2 more rules r2 and r3on RS and Deployment respectively. If the annotation is updated (removed/added), we’ll have to update the policy accordingly |
Also, should we suppress the violations on the pods if the pod controller has a violation for the same rule? |
@shivdudhani - we can start with the assumption that generated rules should not be updated by the user. Perhaps we add a new type or rule? Or some meta-data / field in the rule to indicate its a generated rule. |
We can generate in mutating webhook as this will creates the entire policy to database, if we handle internally, we could lose tracking of generated policies, violations might need to be handled specifically in this case.
If mutating webhook is disabled, then Kyverno probably not functional for the webhook part, as all the resources request is forwarded to mutating webhook. So I guess in this case we do not support pod controller. For the updates of a policy / rule, say there's a policy with rule r1 on Pod, we will only generate one additional rule2 on given pod controllers(kinds take a list of kind), so at maximum, we will update one generated rule per rule(on pod). |
I think it'd be good to suppress one of the violations, otherwise we will end up with 2x violations. |
FYI
|
One approach to generate policy on pod controller after the discussion with @JimBugwadia, could be using the data in the policy rules to build a new rule on pod controllers. Once #529 is available, we can refer to the kind: ClusterPolicy
metadata:
name: disallow-latest-tag
annotations:
policies.kyverno.io/podcontroller.generate: "jobs,statefulset"
spec:
rules:
# this is a rule for pod
- name: custompodrule
match:
resources:
kinds:
- Pod
namepaces: # some namespaces
selector: # selector
validate:
message: "custom message"
pattern:
spec:
containers:
- image: "!*:latest" Kyverno would generate a new rule, adds to the same policy, based on the template: rules:
# this is an auto-generated rule on the given pod controllers
# we can indicate the rule type (auto-gen) by adding a prefix to rule name
- name: autogen-custompodrule
match:
resources:
# kinds are defined in the annotation - policies.kyverno.io/podcontroller.generate
kinds:
- jobs
- statefulset
# refer by path, what this path looks like denpends on how we can query the resource data
namepaces: /spec/rules/0/match/resources/namespaces
selector: /spec/rules/0/match/resources/selector
validate:
# or we can indicate the rule type (auto-gen) by adding the msg
message: /spec/rules/0/mesage + <auto generated rule msg>
pattern:
# "spec" and "template" are keys Kyverno adds
spec:
template:
# insert entire pattern block from pod rule
# directly put path here without any tag / key?
/spec/rules/0/validate/pattern For this template, we could either generate it at runtime (in the policy mutation webhook), or we could have a built-in policy to auto-generate this template policy, need to understand more for the latter approach. FYI @shivdudhani |
With variable substitution, we can refer to attribute in the policy. Suggestion 1: Suggestion 2:
As mentioned before we don't want to support the update to rules after creation in initial phase, so will be user be blocked from updating the rules in the policy. As the CR can be edited, and we should not user update auto-generated rules. Suggestion 3: |
@shivdudhani - the proposal is to generate the additional rules when the policy is created. Hence, in the case the policy is the resource. |
@shivdudhani Suggestion 2: The Suggestion 3: Only ONE additional rule will be generated as
In the resource block of the violation stores the info of pod controller, while it could be confused to user when they check the policy there is no such rule on pod controller. |
The decision whether to generate rule on pod controllers (in mutation webhook):
Process the rules (in policy engine):
Several points to note:
|
@realshuting - suggestions on the annotations: pod-policies.kyverno.io/autogen-controllers
pod-policies.kyverno.io/autogen-applied |
Is your feature request related to a problem? Please describe.
Pod policies should automatically be applied to pod controllers.
Several policies are written to apply on pods. When the policy is set to "audit" Kyverno automatically creates the violation on the pod controller.
However, when the policy is set to "enforce" pod controllers are not blocked during creation or edits.
Describe the solution you'd like
Pod controllers (deployments, etc.) should be blocked when policy is set to enforce.
The text was updated successfully, but these errors were encountered: