#753 - Validate conflicting match and exclude #758
Conversation
pkg/policy/validate.go
Outdated
| } | ||
|
|
||
| if rule.MatchResources.ResourceDescription.Name != "" { | ||
| if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name { |
There was a problem hiding this comment.
Do we need to check the name of the resource? It's possible to have the same pod name, say "test-pod" in different namespaces.
There was a problem hiding this comment.
If there are 2 pods with same name in different name space:
Currently we can write:
match:
resources:
name: test-pod
kinds:
-Pod
exclude:
resources:
name: test-pod
kinds:
-Pod
namespace:
-namespace1
With this PR user will be forced to write:
match:
resources:
name: test-pod
kinds:
-Pod
exclude:
resources:
namespace:
-namespace1
There was a problem hiding this comment.
If I write the following policy, it will be rejected:
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
exclude:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace2
There was a problem hiding this comment.
The above exclude block will never apply since its only matching pod from namespace1
Lets assume - this is what you meant:
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
- namespace2
exclude:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace2
This will be rejected since its logically equivalent to this
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
There was a problem hiding this comment.
After further analysis the following policy will be rejected even though its valid
match:
resources:
namespaces:
- namespace1
- namespace2
exclude:
resources:
kinds:
- Pod
namespaces:
- namespace2
Maybe we should reconsider this change
shravanshetty1
changed the title
shravanshetty1
changed the title
shravanshetty1
changed the title
yes, this should not be a bottle neck |
fixes #753