Giter VIP home page Giter VIP logo

Comments (6)

JaydipGabani avatar JaydipGabani commented on May 27, 2024

@dgr237 As far as I know, SyncSets (referential validations) are only available with the policies using rego. @ritazh @maxsmythe Please correct me if I am wrong here.

from gatekeeper.

dgr237 avatar dgr237 commented on May 27, 2024

@JaydipGabani Thanks for confirming. This is what I suspected. Is this something which is on the roadmap?

from gatekeeper.

JaydipGabani avatar JaydipGabani commented on May 27, 2024

@dgr237 I am not sure if CEL is capable of handling such kind of complex logic to begin with. @maxsmythe @ritazh would be able to better answer about the roadmap for k8snativevalidation.

from gatekeeper.

maxsmythe avatar maxsmythe commented on May 27, 2024

CEL should syntactically be able to handle referential data. A straw man example might be:

dataCache.List({
  "kind": "Pod"
}).all(pod, pod.metadata.name != object.metadata.name)

Where the above is listing all pods and making sure they don't have the same name as the inbound object.

A few caveats:

  • This is a rough sketch of what might be possible -- more design would be needed for a serious effort
  • We probably would not do this with the K8s native CEL engine. Since that is intended to be able to generate VAP resources to handle admission enforcement, we should avoid supporting features VAP will not support (like referential constraints). Of course, nothing prevents us from using CEL in a different engine that is less coupled to VAP, which would unblock support here.
  • This is something that can likely be done, but is a non-trivial amount of work. I'd definitely like signal from users to help indicate priority here, if this is a thing people would want to see.

Last design consideration: this cache should be one that can be shared across all engines (including Rego). This will help to avoid excess RAM usage.

from gatekeeper.

ritazh avatar ritazh commented on May 27, 2024

@dgr237 thanks for raising this.

I was looking to use the K8sNativeValidation rules rather than rego

I'm curious, can you please share why you did not want to rego since it already supports referential policies quite well?

from gatekeeper.

stale avatar stale commented on May 27, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

from gatekeeper.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.