Comments (5)
Why was it decided not to use the standard approach?
We're in the process of deciding how the policy library ought to be structured. It's arguable that since the input
-based version is more familiar for most people, we should keep it.
The reason we started with the data
-based version was that it naturally lends itself to audit queries (e.g., asking for a list of all violations, violations in a particular namespace, violations on pods, violations of some kind, etc.) It is possible to use the input
-based version for audit, but it requires additional logic/code.
This policy would always fail, no matter the name of the new resource, a match would always be found....
Since the controller only asks for the violations for the resource being admitted, this is not a problem. E.g., there could be many other resources with the name ceph (of different kinds or in different namespaces) but since the controller executes the query like data.admission.deny[{"id": id, "resource": {"kind": "SomeKind", "namespace": "default", "name": "ceph"}, "resolution": r}]
only the violations for that resource are computed & returned.
from gatekeeper.
I need to understand the mechanics of this a bit better, but it does feel kind of cleaner to me that data
is actual current state and input
is potential new state.
I haven't found the exact code for this - how does the request get removed from data
, if it gets denied? Or did you mean to keep all requests in data
so you could later query them? That would create a LOT of data.
In terms of the audit/query functionality, if kube-mgmt is syncing the resource type of the query then the updated state ends up in data
anyway, if the admission review isn't denied. So if the intent is to, say, find out what things that already exist that would violate this policy, you can still do that. In any case the query would have to be different, as objects in a requests are inside a request
object, but other k8s resources are just under kubernetes
.
from gatekeeper.
@tsandall thanks. I think now it's clear to me.
I think more explanation is needed in the doc about this choice.
Also, I couldn't find examples/tutorial about the audit functionality.
How does it work?
from gatekeeper.
Thanks @raffaelespazzoli for the feedback.
All policies in the controller support 'audit' via GET '\audit' api.
Short description:
The requires kubernetes dependencies are sync (eventual consistent) by 'kube-mgmt`
The policy controller uses the same policies to query for violations in real time (when /audit endpoint is called)
There is lot of scope to enhance docs for this. Please refer to the video if that helps (also the link is added in the README for this project)
https://www.youtube.com/watch?v=1WObJiTZDHc&feature=youtu.be
from gatekeeper.
Requests are now passed as input (as of v3)
from gatekeeper.
Related Issues (20)
- Copy namespace labels to pod labels HOT 1
- AssignImage mutation to prepend string to existing image path HOT 3
- Broken Install Manifest (using 3.15) HOT 2
- migrate to stale action
- External Data Mutations on objects in request HOT 3
- Failure of Kubernetes Cluster Startup Due to `FailurePolicy=Fail` Parameter in Webhook HOT 5
- [docs] Update release guide after verifying recent release process changes in next release HOT 1
- cant seem to apply mutations HOT 1
- support - mutation or validation for custom policies? HOT 3
- order of evaluation for constraints and mutations HOT 1
- does it make sense to create customized rulesets for specific applications such as service meshes? HOT 2
- Exposing Prometheus metrics endpoint with HTTPS HOT 1
- ApiVersion update HOT 1
- Restrict ModifySet on specific action.
- move helmify readme to website
- update controller gen HOT 1
- [feat][expansion template] one disable annotation in constraint template to allow policy bypass expansion template HOT 2
- Resource violates rule but is created HOT 4
- Improve consistency in gator usage
- Policy is being flagged in the log but it is allowed to be created HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.