Gatekeeper resource matching needs additional features

[skaven81]

Describe the solution you'd like
The match field in Config and Constraints has several features, but they are not all properly symmetric.

There is the ability to select resources by label, labelSelector, but no ability to exclude resources by label, excludedLabelSelector. labelSelector can use set-based matchExpressions which cover this case

There is the ability to select resources by namespace labels, namespaceSelector, but no ability to exclude namespaces by label, excludedNamespaceSeelctor. namespaceSelector can use set-based matchExpressions which cover this case

There is the ability to provide a list of kinds, with wildcards, but no excludedKinds to refine that list.

There is the ability to select objects by name, with wildcards, but no excludedNames to refine that list.

I would like to see match expanded to add the missing symmetric features described above:

• excludedLabelSelector
• excludedNamespaceSelector
• excludedKinds
• excludedNames

Environment:

• Gatekeeper version: 3.12
• Kubernetes version: Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}

[maxsmythe]

One concern with excludedNamespaceSelector would be that K8's ValidatingAdmissionPolicy doesn't support that matcher:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#matchresources-v1beta1-admissionregistration-k8s-io

Which would complicate the ability to use Gatekeeper to manage validating admission policy.

Part of the reason VAP doesn't have that is because label selectors let you use NotIn / DoesNotExist to do negative matching:

https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#labelselectorrequirement-v1-meta

G8r's namespaceSelector currently supports this syntax. Does this meet your needs?

[skaven81]

label selectors let you use NotIn / DoesNotExist to do negative matching

That doesn't seem to be the case with Gatekeeper's implementation. The documentation (https://open-policy-agent.github.io/gatekeeper/website/docs/howto#the-match-field) explicitly says you can't do this.

labelSelector is the combination of two optional fields: matchLabels and matchExpressions. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions are ANDed to determine if an object meets the cumulative requirements of the selector.

namespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.

While labelSelector lets you choose between basic label matching with matchLabels and set matching with matchExpressions, namespaceSelector does not -- it only supports the basic matchLabels behavior.

If namespaceSelector were extended to behave like labelSelector then yes, I agree that would satisfy the requirement.

[maxsmythe]

Ah, I think that was intended to read as: "namespaceSelector has the same behavior as labelSelector, but is applied to the containing namespace, instead of the object-under-test"

Negative matching should be supported (both use the same k8s label selector code under-the-hood):

gatekeeper/pkg/mutation/match/match.go

Lines 73 to 116 in d95cdb6

	func namespaceSelectorMatch(match *Match, target *Matchable) (bool, error) {
	obj := target.Object
	ns := target.Namespace
	if match.NamespaceSelector == nil {
	return true, nil
	}
	isNamespace := IsNamespace(obj)
	if !isNamespace && ns == nil && obj.GetNamespace() == "" {
	// Match all non-Namespace cluster-scoped objects.
	return true, nil
	}
	selector, err := metav1.LabelSelectorAsSelector(match.NamespaceSelector)
	if err != nil {
	return false, err
	}
	if isNamespace {
	return selector.Matches(labels.Set(obj.GetLabels())), nil
	}
	if ns == nil {
	return false, fmt.Errorf("namespace selector for namespace-scoped object but missing Namespace")
	}
	return selector.Matches(labels.Set(ns.Labels)), nil
	}
	func labelSelectorMatch(match *Match, target *Matchable) (bool, error) {
	obj := target.Object
	if match.LabelSelector == nil {
	return true, nil
	}
	selector, err := metav1.LabelSelectorAsSelector(match.LabelSelector)
	if err != nil {
	return false, err
	}
	return selector.Matches(labels.Set(obj.GetLabels())), nil
	}

[skaven81]

Ah, so it's already implemented, but is just not clear from the documentation. I will admit that I haven't actually tried creating Constraints using namespaceSelector, because I didn't think it supported set based selection.

[skaven81]

Updated the description to incorporate the findings from the comments. I still believe that having excludedNames and excludedKinds would be beneficial additions to improve the flexibility of the match fields all over Gatekeeper.

[maxsmythe]

+1 to excluded names/kinds

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[skaven81]

not stale

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[skaven81]

not stale

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[skaven81]

not stale