Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kwctl allows scaffold of AdmissionPolicies that target cluster-wide resources #503

Open
2 tasks
kravciak opened this issue May 23, 2023 · 0 comments
Open
2 tasks

kwctl allows scaffold of AdmissionPolicies that target cluster-wide resources #503

kravciak opened this issue May 23, 2023 · 0 comments
Labels
kind/bug

Comments

@kravciak
Copy link
Contributor

kravciak commented May 23, 2023
edited by flavio
Loading

Current Behavior

There are 2 types of policies: ClusterAdmissionPolicy and AdmissionPolicy.

All of our policies can be defined both as ClusterAdmissionPolicy and AdmissionPolicy. However, policies targeting cluster-wide resources are going to be evaluated only when deployed as ClusterAdmissionPolicy.
If I deploy a policy inspecting cluster-wide resources (like Namespace, PersistentVolume,...) as an AdmissionPolicy, the policy will never be invoked.

Expected Behavior

  • kwctl should have knowledge whether an official Kubernetes types is namespaced or not. When the user tries to scaffold a AdmissionPolicy and the policy is targeting a cluster-wide resource, the program should exit with an error
  • For policies targeting Custom Resource Definitions there's no way for kwctl to know whether this is a cluster wide resource or not. In this case, when scaffolding a AdmissionPolicy, kwctl should print a warning message. It's left to the user to figure out whether the CRD is cluster-wide or namespaced
@kravciak kravciak changed the title kwctl should prevent scaffold of AdmissionPolicies that can't target namespace kwctl allows scaffold of AdmissionPolicies that can't target namespace May 23, 2023
@flavio flavio changed the title kwctl allows scaffold of AdmissionPolicies that can't target namespace kwctl allows scaffold of AdmissionPolicies that target cluster-wide resources May 25, 2023
@flavio flavio mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
Kubewarden
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kravciak