Open Policy Agent
OPA policy for fields which are defaulted if omitted #401
Replies: 1 comment 3 replies
-
|
The validating webhook step always comes after the mutating one, so if you'd want to read the resources before the mutating admission controllers have been applied, you'd likely need to do so in a mutating admission controller webhook yourself.. I'm not sure if it works or if it's a good idea though :) Another option would be to do the check in the CI/CD pipeline... i.e. check the files on disk before they are deployed. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick reply! |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure to be honest. It could be that you can configure Gatekeeper as a mutating admission controller, but still have it "validate" configuration... but it sounds rather hacky :P |
Beta Was this translation helpful? Give feedback.
-
|
True :p |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm trying to create a multitenant system and am writing a rego policy which says certain annotations / fields are not allowed to be present when creating a pod. I am also using Flux CD to deploy the manifests on my cluster.
Now, let's say for example we only allow the annotations
app.kubernetes.io/nameandapp.kubernetes.io/instanceto be present when specifying a manifest for a pod. Kubernetes will automatically add annotations from operators / webhooks / ... and will add defaults for fields which are omitted.This means my final deployed pod will have for example these annotations:
Is there any way to get only the initial fields which are in the manifest picked up by Flux, before any defaulting is added by Kubernetes and webhooks interfere with the object?
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions