feat: add namespace support to Rego driver via input.review.namespaceObject#646
Conversation
- Add Namespace field to ReviewCfg for passing namespace data to drivers - Add reviews.Namespace() option function for callers to pass namespace - Update Rego driver to accept namespace in toParsedInput and pass to Query - Update hookModuleRego to include input.namespace for Rego policy access - Add TemplateCheckNamespace for testing namespace-based policies - Add WantEnvironment constraint argument for namespace tests - Add TestClient_Review_Namespace e2e test for Rego namespace support This enables Rego policies to access namespace metadata via input.namespace for namespace-scoped policy decisions. Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
JaydipGabani
force-pushed
the
fix#3777
branch
from
c927057 to
6a1f9a8
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds namespace support to the Rego driver, enabling Rego policies to access namespace metadata via input.namespace for namespace-scoped policy decisions.
- Adds
Namespacefield toReviewCfgand areviews.Namespace()option function for passing namespace data to drivers - Updates Rego driver to include namespace in the input passed to policies via
object.get(input, "namespace", null) - Adds comprehensive test coverage with
TemplateCheckNamespaceandTestClient_Review_Namespace
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| constraint/pkg/client/template_client_test.go | Minor comment punctuation fix |
| constraint/pkg/client/template_client.go | Minor comment punctuation fix |
| constraint/pkg/client/reviews/review_opts.go | Adds Namespace field to ReviewCfg and Namespace() option function |
| constraint/pkg/client/e2e_test.go | Adds end-to-end test for namespace support with multiple test cases |
| constraint/pkg/client/drivers/rego/rego.go | Updates hook module to include namespace in input using object.get() |
| constraint/pkg/client/drivers/rego/driver.go | Updates toParsedInput() to accept and pass namespace parameter |
| constraint/pkg/client/clienttest/templates.go | Adds TemplateCheckNamespace for testing namespace-based policies |
| constraint/pkg/client/clienttest/cts/constraints.go | Adds WantEnvironment() constraint argument helper |
| constraint/pkg/client/client.go | Reorders imports to follow Go conventions (alphabetical within groups) |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #646 +/- ##
===========================================
- Coverage 54.68% 43.33% -11.35%
===========================================
Files 71 97 +26
Lines 5241 5411 +170
===========================================
- Hits 2866 2345 -521
- Misses 2073 2763 +690
- Partials 302 303 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
sozercan
left a comment
sozercan
left a comment
There was a problem hiding this comment.
a few minor comments, otherwise lgtm
|
|
||
| violation[{"msg": msg}] { | ||
| # Check if namespace is provided and has the expected label | ||
| ns := input.review.namespaceObject |
There was a problem hiding this comment.
do we need the guard if object doesn't have namespace?
There was a problem hiding this comment.
added the check, if its nil then the variable results in undefined. So it should be alright, but added the check regardless.
| }{ | ||
| { | ||
| name: "no namespace provided - expects violation for missing namespace", | ||
| namespace: nil, |
There was a problem hiding this comment.
can you add a case for empty namespace too
There was a problem hiding this comment.
added a test for this.
| name: "no namespace provided - expects violation for missing namespace", | ||
| namespace: nil, | ||
| wantEnv: "production", | ||
| wantResults: 1, |
There was a problem hiding this comment.
Not really, the test policy is written so that it will result in violation when namespace is nil or empty.
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
JaydipGabani
changed the title
This enables Rego policies to access namespace metadata via input.namespace for namespace-scoped policy decisions.