-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#753 - Validate conflicting match and exclude #758
#753 - Validate conflicting match and exclude #758
Conversation
pkg/policy/validate.go
Outdated
} | ||
|
||
if rule.MatchResources.ResourceDescription.Name != "" { | ||
if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to check the name of the resource? It's possible to have the same pod name, say "test-pod" in different namespaces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there are 2 pods with same name in different name space:
Currently we can write:
match:
resources:
name: test-pod
kinds:
-Pod
exclude:
resources:
name: test-pod
kinds:
-Pod
namespace:
-namespace1
With this PR user will be forced to write:
match:
resources:
name: test-pod
kinds:
-Pod
exclude:
resources:
namespace:
-namespace1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I write the following policy, it will be rejected:
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
exclude:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The above exclude block will never apply since its only matching pod from namespace1
Lets assume - this is what you meant:
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
- namespace2
exclude:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace2
This will be rejected since its logically equivalent to this
match:
resources:
name: test-pod
kinds:
- Pod
namespaces:
- namespace1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After further analysis the following policy will be rejected even though its valid
match:
resources:
namespaces:
- namespace1
- namespace2
exclude:
resources:
kinds:
- Pod
namespaces:
- namespace2
Maybe we should reconsider this change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tested with all best practices? How's the performance look like if someone imports all policies?
yes, this should not be a bottle neck |
fixes #753