You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-api-machinery/3488-cel-admission-control/README.md
+51-16Lines changed: 51 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1190,18 +1190,24 @@ are included with the key provided. E.g.:
1190
1190
1191
1191
#### Per namespace policy params
1192
1192
1193
-
Currently the policies and bindings are only allowed to be cluster scoped.
1194
-
We want to support per namespace configuration with namespace scoped param resources.
1193
+
Validating admission policies and bindings are cluster scoped.
1194
+
1195
+
We want to enable a clusters to be able to parameterize a policy
1196
+
on a per-namespace using a resource contained in the namespace.
1195
1197
1196
1198
(Thanks for the input from @dead2k)
1197
-
This sort of mapping allows:
1198
-
- A cluster-admin can write a single resource to say, “this is the policy I want in all my namespaces”.
1199
-
- If namespace admins can read the param resources, but not write that resource, they can understand the limitations they currently have.
1200
-
- A single lenient cluster policy and cluster policybinding can enforce the minimum constraint, and a single cluster policy with a cluster policybinding pointing to a namespace level param can further restrict.
1201
1199
1202
-
A new optional field `namespaceParamRef` could be added inside ValidatingAdmissionPolicyBinding to support such use case.
1203
-
In contrast, a namespace scoped policybinding will require creation and maintenance of both policybindings and parameters
1204
-
in every namespace to enforce the policy itself, versus the single policybinding and many parameters.
1200
+
The goal is to enable:
1201
+
- A cluster-admin to write a single policy to say, “this is the policy I want in
1202
+
all my namespaces”.
1203
+
- A namespace admins that can read the param resources, but not write the params
1204
+
resource, to understand the limitations they currently have.
1205
+
- A single lenient cluster policy and binding to enforce a minimum constraint,
1206
+
and a single cluster policy and binding pointing to a namespace level params
1207
+
to further restrict the policy for a particular namespace.
1208
+
1209
+
To implement this, a new optional field `namespaceParamRef` will be added to
1210
+
ValidatingAdmissionPolicyBinding:
1205
1211
1206
1212
```yaml
1207
1213
apiVersion: admissionregistration.k8s.io/v1alpha1
@@ -1212,16 +1218,45 @@ spec:
1212
1218
policyName: "demo-policy.example.com"
1213
1219
namespaceParamRef:
1214
1220
name: "param-resource.example.com"
1215
-
failAction: “allow”
1221
+
failAction: “Allow”
1222
+
validationActions: [Deny]
1223
+
```
1224
+
1225
+
The `namespaceParamRef` may either specify an exact name, or may specify a label selector to locate
1226
+
the param resource in a namespace. For example:
1227
+
1228
+
```yaml
1229
+
apiVersion: admissionregistration.k8s.io/v1alpha1
1230
+
kind: ValidatingAdmissionPolicyBinding
1231
+
metadata:
1232
+
name: "demo-binding-test.example.com"
1233
+
spec:
1234
+
policyName: "demo-policy.example.com"
1235
+
namespaceParamRef:
1236
+
selector:
1237
+
matchLabels:
1238
+
policy: demo-policy
1239
+
failAction: “Allow”
1216
1240
validationActions: [Deny]
1217
1241
```
1218
1242
1219
-
- a new optional field `namespaceParamRef` is added as a peer to `paramRef`. User has to choose one for parameterization.
1220
-
It allows users to configure param resource per namespace.
1221
-
- failAction defines the behavior when the param resource cannot be found in current namespace.
1222
-
Set to `allow` will ignore the validation and let the request through. Set to `deny` will fail the validation if specific param resource not found.
1223
-
- if the resource be validated on is a cluster scoped resource and have `namespaceParamRef` set, return error.
1224
-
- the existing behavior should not be affected.
1243
+
Note that with a label selector, multiple param resource may match, in which
1244
+
case the policy is evaluated for each param resource; the admission request must
1245
+
be allowed by the policy for all the param resources to be admitted.
1246
+
1247
+
Implementation details:
1248
+
1249
+
- `namespaceParamRef`and `paramRef` are members of a union; if one of the
1250
+
fields is set, the other must be unset.
1251
+
- `failAction`defines the behavior when the param resource cannot be found in a
1252
+
namespace. Set to `Allow` to admit all requests even when there is no params
1253
+
resources found, and policy is not evaluated. Set to `Deny` to fail admission
1254
+
if no param resources are found. (Note from jpbetz: this could be
1255
+
implemented without introducing a new field. For "allow" add a `params != null`
1256
+
`matchCondition`, for deny, add `params != null` as the first expression)
1257
+
- if the `paramKind` of the policy referred to by `policyName` is cluster scoped,
1258
+
and `namespaceParamRef` set, the binding is considered mis-configured, and the
0 commit comments