Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8sNativeValidation and SyncSets #3300

Open
dgr237 opened this issue Mar 9, 2024 · 6 comments
Open

K8sNativeValidation and SyncSets #3300

dgr237 opened this issue Mar 9, 2024 · 6 comments
Labels
stale

Comments

@dgr237
Copy link

dgr237 commented Mar 9, 2024

I am currently looking at developing some validation constraints which for a ClusterRoleBinding needs to check labels on the namespace associated with the Service Account that the ClusterRole is being bound to.

I was looking to use the K8sNativeValidation rules rather than rego and could not find an example on how this could be used. I developed the expressions which I was testing with GatorCLI and I get the error 'undeclared reference to 'data' (in container '').

Is the use of SyncSets possible with K8sNativeValidation and if so do you have an example on how I could check if a label on the namespace associated with a ServiceAccount in a ClusterRoleBinding matches a required label?
@JaydipGabani
Copy link
Contributor

@dgr237 As far as I know, SyncSets (referential validations) are only available with the policies using rego. @ritazh @maxsmythe Please correct me if I am wrong here.

@dgr237
Copy link
Author

dgr237 commented Mar 10, 2024

@JaydipGabani Thanks for confirming. This is what I suspected. Is this something which is on the roadmap?

@JaydipGabani
Copy link
Contributor

@dgr237 I am not sure if CEL is capable of handling such kind of complex logic to begin with. @maxsmythe @ritazh would be able to better answer about the roadmap for k8snativevalidation.

@maxsmythe
Copy link
Contributor

CEL should syntactically be able to handle referential data. A straw man example might be:

dataCache.List({
  "kind": "Pod"
}).all(pod, pod.metadata.name != object.metadata.name)

Where the above is listing all pods and making sure they don't have the same name as the inbound object.

A few caveats:

  • This is a rough sketch of what might be possible -- more design would be needed for a serious effort
  • We probably would not do this with the K8s native CEL engine. Since that is intended to be able to generate VAP resources to handle admission enforcement, we should avoid supporting features VAP will not support (like referential constraints). Of course, nothing prevents us from using CEL in a different engine that is less coupled to VAP, which would unblock support here.
  • This is something that can likely be done, but is a non-trivial amount of work. I'd definitely like signal from users to help indicate priority here, if this is a thing people would want to see.

Last design consideration: this cache should be one that can be shared across all engines (including Rego). This will help to avoid excess RAM usage.

@ritazh
Copy link
Member

ritazh commented Mar 13, 2024

@dgr237 thanks for raising this.

I was looking to use the K8sNativeValidation rules rather than rego

I'm curious, can you please share why you did not want to rego since it already supports referential policies quite well?

@stale Stale
Copy link

stale bot commented May 12, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label May 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ritazh @maxsmythe @JaydipGabani @dgr237