feat: add namespace support for CEL and Rego engines (open-policy-agent#4285)

Signed-off-by: Jaydip Gabani <[email protected]>

Author: JaydipGabani

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/onsi/gomega v1.38.3
 	github.com/open-policy-agent/cert-controller v0.14.1-0.20251031183427-40974f7dd486
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20251212003702-cf69624a8e54
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20251217214254-e3880ce65b48
 	github.com/open-policy-agent/opa v1.10.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.23.2

go.sum

@@ -305,8 +305,8 @@ github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM=
 github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
 github.com/open-policy-agent/cert-controller v0.14.1-0.20251031183427-40974f7dd486 h1:Ir1VtwXM/0OF22+klrZQpqbJQ4Vkpv1v4d7p61Xpzyg=
 github.com/open-policy-agent/cert-controller v0.14.1-0.20251031183427-40974f7dd486/go.mod h1:6zxrUxL0sFlTQzNFToeo2ysfQ9lloVXj2fitZBVdXWU=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20251212003702-cf69624a8e54 h1:lpHoyrcCmdhtVIdg7hz5wK1zR1HaGsBrWA5ddTgK7qc=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20251212003702-cf69624a8e54/go.mod h1:ZijN1cmV6XtRWHEWVSq/nWwa3ZAoO3d9OlfGsocbCsY=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20251217214254-e3880ce65b48 h1:cZPXsRvKW6nLqjNMt4Rm1EK93b9GPBM48BSr91nsKYo=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20251217214254-e3880ce65b48/go.mod h1:Kic6tRHuKSVP2cAn96UUbifEHvJf1bdu28fJCqNPahg=
 github.com/open-policy-agent/opa v1.10.0 h1:CzWR/2OhZ5yHrqiyyB1Z37mqLMowifAiFSasjLxBBpk=
 github.com/open-policy-agent/opa v1.10.0/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

pkg/audit/manager.go

@@ -612,7 +612,14 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 			Object:    obj,
 			Namespace: ns,
 		}
-		resp, err := am.opa.Review(ctx, au, reviews.EnforcementPoint(util.AuditEnforcementPoint), reviews.Stats(*logStatsAudit))
+		opts := []reviews.ReviewOpt{
+			reviews.EnforcementPoint(util.AuditEnforcementPoint),
+			reviews.Stats(*logStatsAudit),
+		}
+		if opt := util.NamespaceReviewOpt(ns, am.log); opt != nil {
+			opts = append(opts, opt)
+		}
+		resp, err := am.opa.Review(ctx, au, opts...)
 		if err != nil {
 			am.log.Error(err, fmt.Sprintf("Unable to review object from audit cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName()))
 			continue
@@ -703,7 +710,14 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i
 				Source:    mutationtypes.SourceTypeOriginal,
 			}
 
-			resp, err := am.opa.Review(ctx, augmentedObj, reviews.EnforcementPoint(util.AuditEnforcementPoint), reviews.Stats(*logStatsAudit))
+			opts := []reviews.ReviewOpt{
+				reviews.EnforcementPoint(util.AuditEnforcementPoint),
+				reviews.Stats(*logStatsAudit),
+			}
+			if opt := util.NamespaceReviewOpt(ns, am.log); opt != nil {
+				opts = append(opts, opt)
+			}
+			resp, err := am.opa.Review(ctx, augmentedObj, opts...)
 			if err != nil {
 				am.log.Error(err, "Unable to review object from file", "fileName", fileName, "objNs", objNs)
 				continue
@@ -727,7 +741,14 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i
 					Namespace: ns,
 					Source:    mutationtypes.SourceTypeGenerated,
 				}
-				resultantResp, err := am.opa.Review(ctx, au, reviews.EnforcementPoint(util.AuditEnforcementPoint), reviews.Stats(*logStatsAudit))
+				resultantOpts := []reviews.ReviewOpt{
+					reviews.EnforcementPoint(util.AuditEnforcementPoint),
+					reviews.Stats(*logStatsAudit),
+				}
+				if opt := util.NamespaceReviewOpt(ns, am.log); opt != nil {
+					resultantOpts = append(resultantOpts, opt)
+				}
+				resultantResp, err := am.opa.Review(ctx, au, resultantOpts...)
 				if err != nil {
 					am.log.Error(err, "Unable to review expanded object", "objName", (*resultant.Obj).GetName(), "objNs", ns)
 					continue

pkg/drivers/k8scel/driver.go

@@ -2,6 +2,7 @@ package k8scel
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
@@ -15,15 +16,18 @@ import (
 	"github.com/open-policy-agent/frameworks/constraint/pkg/types"
 	pSchema "github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel/schema"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel/transform"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/logging"
 	"github.com/open-policy-agent/opa/storage"
 	admissionv1 "k8s.io/api/admission/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/admission/plugin/cel"
 	"k8s.io/apiserver/pkg/admission/plugin/policy/validating"
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
 	celAPI "k8s.io/apiserver/pkg/apis/cel"
 	"k8s.io/apiserver/pkg/cel/environment"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 // NOTE: This is a PROTOTYPE driver. Do not use this for any critical work
@@ -48,7 +52,10 @@ const (
 	runTimeNSDescription = "the number of nanoseconds it took to evaluate the constraint"
 )
 
-var _ drivers.Driver = &Driver{}
+var (
+	_   drivers.Driver = &Driver{}
+	log                = logf.Log.WithName("k8scel-driver").WithValues(logging.Process, "k8scel")
+)
 
 type Driver struct {
 	mux         sync.RWMutex
@@ -198,8 +205,18 @@ func (d *Driver) Query(ctx context.Context, target string, constraints []*unstru
 			return nil, fmt.Errorf("nil validator for constraint template %v", strings.ToLower(constraint.GetKind()))
 		}
 
-		// TODO: should namespace be made available, if possible? Generally that context should be present
-		response := validator.Validate(ctx, versionedAttr.GetResource(), versionedAttr, constraint, nil, celAPI.PerCallLimit, nil)
+		// Convert namespace from map[string]interface{} to *corev1.Namespace if provided.
+		// This enables CEL expressions to access namespaceObject for namespace-based policies.
+		var namespace *corev1.Namespace
+		if cfg.Namespace != nil {
+			namespace, err = mapToNamespace(cfg.Namespace)
+			if err != nil {
+				log.Error(err, "failed to convert namespace to corev1.Namespace, continuing without namespace")
+				namespace = nil
+			}
+		}
+
+		response := validator.Validate(ctx, versionedAttr.GetResource(), versionedAttr, constraint, namespace, celAPI.PerCallLimit, nil)
 
 		for _, decision := range response.Decisions {
 			if decision.Action == validating.ActionDeny {
@@ -252,3 +269,24 @@ type ARGetter interface {
 type IsAdmissionGetter interface {
 	IsAdmissionRequest() bool
 }
+
+// mapToNamespace converts a map[string]interface{} representation of a namespace
+// to a *corev1.Namespace. This is used to pass the namespace object to the CEL
+// validator for namespaceObject support.
+func mapToNamespace(ns map[string]interface{}) (*corev1.Namespace, error) {
+	if ns == nil {
+		return nil, nil
+	}
+
+	data, err := json.Marshal(ns)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal namespace: %w", err)
+	}
+
+	namespace := &corev1.Namespace{}
+	if err := json.Unmarshal(data, namespace); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal namespace: %w", err)
+	}
+
+	return namespace, nil
+}