|
19 | 19 | - [Policy Configuration](#policy-configuration) |
20 | 20 | - [Match Criteria](#match-criteria) |
21 | 21 | - [Decisions and Enforcement](#decisions-and-enforcement) |
22 | | - - [Informational type checking](#informational-type-checking) |
23 | 22 | - [Failure Policy](#failure-policy) |
24 | 23 | - [Safety measures](#safety-measures) |
25 | 24 | - [Singleton Policies](#singleton-policies) |
26 | 25 | - [Limits](#limits) |
27 | 26 | - [Phase 2](#phase-2) |
| 27 | + - [Informational type checking](#informational-type-checking) |
28 | 28 | - [Enforcement Actions](#enforcement-actions) |
29 | 29 | - [Namespace scoped policy binding](#namespace-scoped-policy-binding) |
30 | 30 | - [CEL Expression Composition](#cel-expression-composition) |
@@ -895,41 +895,6 @@ xref: |
895 | 895 |
|
896 | 896 | - https://open-policy-agent.github.io/gatekeeper/website/docs/next/violations/ |
897 | 897 |
|
898 | | -#### Informational type checking |
899 | | - |
900 | | -This is complicated by: |
901 | | - |
902 | | -- Version skew |
903 | | -- CRDs |
904 | | -- Aggregated API servers |
905 | | - |
906 | | -Problem examples: |
907 | | - |
908 | | -| Problem | Summary | |
909 | | -| ------------------------------------------------------ | ------------------------------------------- | |
910 | | -| version skew: ephemeralContainers case | New pod field, need to be able to validate in same was containers and initContainers if field exists and is populated | |
911 | | -| version skew: Migration from annotation to field | Need to be able to validate annotation (if present) or field (if it exists and is populated) | |
912 | | -| CRD is deleted | Nothing to type check against, but also means there are no coresponding custom resources | |
913 | | -| CRD is in multiple clusters, but schema differs | If policy author is aware of the schema variations, can they write policies that work for all the variations? | |
914 | | -| Validation of an aggregated API server type | Main API server does not have type definitions | |
915 | | - |
916 | | -Due to these complications, we have decided to evaluate CEL expressions |
917 | | -dynamically. Informational type checking will be provided (except for aggregated |
918 | | -API server types), but will be surfaced only as warnings. See "Alternatives |
919 | | -Considered" section for details of all the alternatives we reviewed when |
920 | | -selecting this approach. |
921 | | - |
922 | | -Type checking is still performed for all expressions where a GVK can be matched |
923 | | -to type check against, resulting in warnings, e.g.: |
924 | | - |
925 | | -```yaml |
926 | | -... |
927 | | -status: |
928 | | - expressionWarnings: |
929 | | - - expression: "object.foo" |
930 | | - warning: "no such field 'foo'" |
931 | | -``` |
932 | | - |
933 | 898 | #### Failure Policy |
934 | 899 |
|
935 | 900 | Because failure policy is most often selected based on the need to guarantee |
@@ -1027,6 +992,48 @@ All these capabilities are required before Beta, but will not be implemented in |
1027 | 992 | the first alpha release of this enhancement due to the size and complexity of |
1028 | 993 | this enhancement. |
1029 | 994 |
|
| 995 | +#### Informational type checking |
| 996 | + |
| 997 | +Some advantages of strongly typed objects and expressions over treating everything as unstructured are: |
| 998 | + |
| 999 | +- Checks against missing/misspelled fields. |
| 1000 | + The user may write an expression that refers to a missing/misspelled field that |
| 1001 | + does not exist in their test cases but appears later. A type check can detect this kind of error while an evaluation-time check may not. |
| 1002 | +- Checks against type confusions. Similarly, the user may confuse the type of field but their test cases never touch wrongly typed fields. |
| 1003 | +- Guard against short-circuit evaluation. The user may make a mistake of one of the mentioned above but the code path is never covered in their test cases; |
| 1004 | +- Support Kubernetes extensions. For example, IntOrString and map lists. |
| 1005 | + |
| 1006 | +However, enforcing types for every expression and object is not feasible because of: |
| 1007 | + |
| 1008 | +- Version skew |
| 1009 | +- CRDs |
| 1010 | +- Aggregated API servers |
| 1011 | + |
| 1012 | +Problem examples: |
| 1013 | + |
| 1014 | +| Problem | Summary | |
| 1015 | +|--------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| |
| 1016 | +| version skew: ephemeralContainers case | New pod field, need to be able to validate in same was containers and initContainers if field exists and is populated | |
| 1017 | +| version skew: Migration from annotation to field | Need to be able to validate annotation (if present) or field (if it exists and is populated) | |
| 1018 | +| CRD is deleted | Nothing to type check against, but also means there are no coresponding custom resources | |
| 1019 | +| CRD is in multiple clusters, but schema differs | If policy author is aware of the schema variations, can they write policies that work for all the variations? | |
| 1020 | +| Validation of an aggregated API server type | Main API server does not have type definitions | |
| 1021 | + |
| 1022 | +Until the design is extended to handle these situations, the type checking will remain informational. |
| 1023 | + |
| 1024 | +Informational type checking will be performed against all expressions where a GVK can be resolved to |
| 1025 | +type check against. The result of type checking will be part of the status of the performed policy. |
| 1026 | + |
| 1027 | +For example, accessing an unknown field will result a warning like this. |
| 1028 | + |
| 1029 | +```yaml |
| 1030 | +... |
| 1031 | +status: |
| 1032 | + expressionWarnings: |
| 1033 | + - expression: "object.replicas > 1" # should be "object.spec.replicas > 1" |
| 1034 | + warning: "no such field 'replicas'" |
| 1035 | +``` |
| 1036 | + |
1030 | 1037 | #### Enforcement Actions |
1031 | 1038 |
|
1032 | 1039 | For phase 1, all violations implicitly result in a `deny` enforcement action. |
|
0 commit comments