diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index f6296f5d5c9e..4fde1a8824e6 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -34,7 +34,7 @@ - [Match Conditions](#match-conditions) - [Variables](#variables) - [Secondary Authz](#secondary-authz) - - [Access to namespace metadata](#access-to-namespace-metadata) + - [Access to namespace](#access-to-namespace) - [Transition rules](#transition-rules) - [Resource constraints](#resource-constraints) - [Safety Features](#safety-features) @@ -1480,16 +1480,17 @@ If we were to offer a way to lookup arbitrary other resources, or even if we provided selective access to just some resources, this might become easier. This can explored as future work. -#### Access to namespace metadata +#### Access to namespace -We have general agreement to include this as a feature, but need to provide -a concrete design. +We have general agreement to grand CEL expression access to namespace through a newly added CEL variable `namespaceObject`. +If the resource is cluster scoped, `namespaceObject` will be null. -- Namespace labels and annotations are the most commonly needed fields not - already available in the resource being validated. Note that - namespaceSelectors already allow matches to examine namespace levels, but we - also have use cases that need to be able to inspects the fields in CEL - expressions. +`namespaceObject` will provide access to all existing fields under namespace metadata, namespace spec and namespace status except for metadata.managedFields and metadata.ownerReferences. +Most of the fields could be directly accessed through `namespaceObject` variable. e.g. `namespaceObject.metadata.name` or `namespaceObject.status.phase`. + +Namespace labels and annotations are the most commonly needed fields not already available in the resource being validated. +labels and annotations could be accessed through `namespaceObject.metadata.labels.env`. +Note that we recommend to check if the specific label/annotation exists before validate against it: `has(namespaceObject.metadata.labels.env)`. #### Transition rules