Add design details on namespace access

kubernetes · May 26, 2023 · 28d5008 · 28d5008
1 parent ad1b439
commit 28d5008
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md
@@ -34,7 +34,7 @@
       - [Match Conditions](#match-conditions)
       - [Variables](#variables)
     - [Secondary Authz](#secondary-authz)
-    - [Access to namespace metadata](#access-to-namespace-metadata)
+    - [Access to namespace](#access-to-namespace)
     - [Transition rules](#transition-rules)
     - [Resource constraints](#resource-constraints)
     - [Safety Features](#safety-features)
@@ -1480,16 +1480,17 @@ If we were to offer a way to lookup arbitrary other resources, or even if
 we provided selective access to just some resources, this might become
 easier. This can explored as future work.
 
-#### Access to namespace metadata
+#### Access to namespace
 
-We have general agreement to include this as a feature, but need to provide
-a concrete design.
+We have general agreement to grand CEL expression access to namespace through a newly added CEL variable `namespaceObject`.
+If the resource is cluster scoped, `namespaceObject` will be null.
 
-- Namespace labels and annotations are the most commonly needed fields not
-  already available in the resource being validated. Note that
-  namespaceSelectors already allow matches to examine namespace levels, but we
-  also have use cases that need to be able to inspects the fields in CEL
-  expressions.
+`namespaceObject` will provide access to all existing fields under namespace metadata, namespace spec and namespace status except for metadata.managedFields and metadata.ownerReferences.
+Most of the fields could be directly accessed through `namespaceObject` variable. e.g. `namespaceObject.metadata.name` or `namespaceObject.status.phase`.
+
+Namespace labels and annotations are the most commonly needed fields not already available in the resource being validated. 
+labels and annotations could be accessed through `namespaceObject.metadata.labels.env`.
+Note that we recommend to check if the specific label/annotation exists before validate against it: `has(namespaceObject.metadata.labels.env)`.
 
 #### Transition rules