-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce flag to control application of policy in background mode #566
Comments
This
|
This should be a validation error, not a warning i.e. the policy rule should not be allowed |
As the type of the attribute is boolean, we cannot differentiate between its default value Regarding the use of userInfo in filters & variables with |
We could set default values in the openAPI schema: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#defaulting |
The feature is available as stable since 1.17 and beta in 1.16 with featureGate Does the default value have to be |
If it's not feasible through openAPI, as we still support k8s prior to 1.16, we can handle this default value internally, using a boolean. Found similar: The main concern to set the default to false is: the violation won't be reported on the existing resources, we are losing a major functionality of what we are doing today. |
Will change it to a pointer to differentiate between empty and default values. We don't lose on major functionality, we already have validation checks to make sure userInfo is not used in the background. Just documenting it well is needed, so now instead of skipping userInfo check we now do a check. This is to be configured by the user when the policy is defined. Having true or false as default is just behavior, the question was the comparison between them and if the default is set to false wat are things to be handled. |
As the default is false, we are not pushing the policy to the queue: |
A kyverno policy is applied in multiple ways:
With variable substitution to be introduced in #533 and userInfo filtering in #345, we can have policies that refer to userInfo attributes in evaluation on the policy. Since the userInfo is only available in incoming api-request and at admission control, we cannot refer it in the policy.
Currently, userInfo filtering is skipped while processing an existing resource.
For consistent behavior, we would introduce a flag
background
in the policy.If
True
then the policy will be evaluated in the background i.e. policy-controller as well, but the policy cannot use variables or userInfo in the policy. This will be validated during policy resource validation.If
False
then the policy will only be evaluated in admission-control.The policy store can be also modified to add a filter based on the
background
flag in policy.The text was updated successfully, but these errors were encountered: