Introducing expansion, a shift left feature that will let you know up front whether your workload resources (Deployments, ReplicaSets, Jobs, etc) will produce admissible pods. Expansion should not change the behavior of your policies; rather, it will just shift Gatekeeper's evaluation of pod-scoped policies to occur at workload admission time rather than pod admission time. However, to perform this evaluation it must generate and evaluate a what-if pod based on the pod spec defined in the workload, which may have incomplete metadata (for instance, it will be missing the proper owner references). Because of this small risk of policy behavior changing, we are introducing expansion as disabled by default. To enable expansion for a given policy definition, set `.policyRule.then.details.source` to `All`. Built-ins will be updated soon to enable parameterization of this field. If you test your policy definition and find that the what-if pod being generated for evaluation purposes is incomplete, you can also use a mutation with source `Generated` to mutate the what-if pods. For more information on this option, view the [Gatekeeper documentation](https://open-policy-agent.github.io/gatekeeper/website/docs/expansion#mutating-example).
0 commit comments