From 21cade5efdfb4ac4f2c26873e3fe9525ac96865f Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Wed, 11 Jan 2023 18:42:23 -0500 Subject: [PATCH 1/8] Add KEP section for warning and audit annotation support --- .../3488-cel-admission-control/README.md | 124 ++++++++++++++++-- 1 file changed, 112 insertions(+), 12 deletions(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index 9937ffddf53..6e19e33ef50 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -26,6 +26,7 @@ - [Limits](#limits) - [Phase 2](#phase-2) - [Enforcement Actions](#enforcement-actions) + - [Audit Events](#audit-events) - [Namespace scoped policy binding](#namespace-scoped-policy-binding) - [CEL Expression Composition](#cel-expression-composition) - [Variables](#variables) @@ -1023,26 +1024,125 @@ this enhancement. #### Enforcement Actions -For phase 1, all violations implicitly result in a `deny` enforcement action. +For parity with admission webhooks, a validating policy may also emit audit +annotations and warnings: -For phase 2, we intend to support multiple enforcement actions. +- [Audit + annotations](https://github.com/kubernetes/kubernetes/blob/97bbf07d3f3f20332912ee411fdf75ce84425e28/staging/src/k8s.io/api/admission/v1/types.go#L142) + are key/value pairs included in the audit event for an admission request. The + audit annotation key supplied by the policy definition author will be prefixed + with the name of the `ValidatingAdmissionPolicy` and policy binding, e.g.: + `mypolicy.mygroup.example.com/mybinding.mygroup.example.com/`. +- [Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks) + are string messages that are returned to API clients. Warning are returned for + both requests that are accepted and requests that are rejected. -Use cases: +`ValidatingAdmissionPolicy` may declare audit annotations in the policy +definition. E.g.: -- Cluster admin would like to rollout a policies, sometimes in bulk, without +```yaml +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +... +spec: + ... + validations: + - expression: + auditAnnotations: + - includeWhen: # optional field + key: "my-audit-key" + valueExpression: +``` + +Additionally, `ValidatingAdmissionPolicyBinding` resource may control how +admission is enforced. This is performed using a single field. E.g.: + +```yaml +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +... +spec: + enforcement: warn # optional field +``` + +- `deny`: Validation failures result in a denied request. (default beahvior if + field is unset) +- `warn`: Validation failures are reported as warnings to the client. +- `silent`: Validation failures are not reported to clients. Audit annotations + for any failed validations are still included in audit events (see + below). +- (To disable audit annotations, delete the binding) + +Systems that need to aggregate validation failures may implement an [audit +webhook +backend](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backend). See +below "Audit Events" for details. + +For singleton policies, the enforcement field will be set on the policy definition. + +Metrics will include enforcement so that cluster administrators can monitor the +validation failures of a binding before setting enforcement to `deny`. + +Supported use cases: + +- A policy framework captures enforcement violations during dry run and + aggregates them. (E.g. When in DryRun mode, OPA Gatekeeper aggregates + violations and records them to the status of the constraint resource). + Including validation failures in audit events makes this possible to do + using a audit webhook backend. +- Cluster admin would like to rollout policies, sometimes in bulk, without knowing all the details of the policies. During rollout the cluster admin needs a state where the policies being rolled out cannot result in admission - rejection. + rejection. With the enforcement field on bindings, cluster admins can decide + between `silent` and `warn` as the initial state and then transition through + the states until the binding reaches `deny`, monitoring metrics and audit + events along the way. - A policy framework needs different enforcement actions at different - enforcement points. -- Cluster admin would like to set specific enforcement actions for policy - violations. + enforcement points. Since this API defines the behavior of only the admission + enforcement point, higher level constructs can map to this enforcement point + as needed. + +#### Audit Events + +All audit event keys are prefixed by +`//`. -We also intend to support multiple enforcement actions: +At Metadata audit level or higher, when a validating admission binding fails any +validation expression, details are included in the audit annotations +for the audit event under the key `validation_failures`. E.g.: -- Deny -- Audit annotation -- Client warnings +```yaml +# the audit event recorded +{ + "kind": "Event", + "apiVersion": "audit.k8s.io/v1", + "annotations": { + "mypolicy.mygroup.example.com/mybinding.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"deny\"}" + # other annotations + ... + } + # other fields + ... +} +``` + +Also, at Metadata audit level or higher, any audit annotations declared by the policy definition +are included with the key provided. E.g.: + +```yaml +# the audit event recorded +{ + "kind": "Event", + "apiVersion": "audit.k8s.io/v1", + "annotations": { + "mypolicy.mygroup.example.com/mybinding.mygroup.example.com/myauditkey": "my audit value" + # other annotations + ... + } + # other fields + ... +} +``` #### Namespace scoped policy binding From 2edd5fc56699abe8b90a227b35c99fcd36b0b345 Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Tue, 31 Jan 2023 18:17:47 -0500 Subject: [PATCH 2/8] Apply feedback --- .../3488-cel-admission-control/README.md | 113 ++++++++++-------- 1 file changed, 61 insertions(+), 52 deletions(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index 6e19e33ef50..3c18e3c4c36 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -26,6 +26,7 @@ - [Limits](#limits) - [Phase 2](#phase-2) - [Enforcement Actions](#enforcement-actions) + - [Audit Annotations](#audit-annotations) - [Audit Events](#audit-events) - [Namespace scoped policy binding](#namespace-scoped-policy-binding) - [CEL Expression Composition](#cel-expression-composition) @@ -37,7 +38,7 @@ - [Safety Features](#safety-features) - [Aggregated API servers](#aggregated-api-servers) - [CEL function library](#cel-function-library) - - [Audit Annotations](#audit-annotations) + - [Audit Annotations](#audit-annotations-1) - [Client visibility](#client-visibility) - [Metrics](#metrics) - [User Stories](#user-stories) @@ -1024,66 +1025,36 @@ this enhancement. #### Enforcement Actions -For parity with admission webhooks, a validating policy may also emit audit -annotations and warnings: - -- [Audit - annotations](https://github.com/kubernetes/kubernetes/blob/97bbf07d3f3f20332912ee411fdf75ce84425e28/staging/src/k8s.io/api/admission/v1/types.go#L142) - are key/value pairs included in the audit event for an admission request. The - audit annotation key supplied by the policy definition author will be prefixed - with the name of the `ValidatingAdmissionPolicy` and policy binding, e.g.: - `mypolicy.mygroup.example.com/mybinding.mygroup.example.com/`. -- [Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks) - are string messages that are returned to API clients. Warning are returned for - both requests that are accepted and requests that are rejected. - -`ValidatingAdmissionPolicy` may declare audit annotations in the policy -definition. E.g.: - -```yaml -apiVersion: admissionregistration.k8s.io/v1alpha1 -kind: ValidatingAdmissionPolicy -... -spec: - ... - validations: - - expression: - auditAnnotations: - - includeWhen: # optional field - key: "my-audit-key" - valueExpression: -``` - -Additionally, `ValidatingAdmissionPolicyBinding` resource may control how -admission is enforced. This is performed using a single field. E.g.: +`ValidatingAdmissionPolicyBinding` resources may control how admission is +enforced. This is performed using a single field. E.g.: ```yaml apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicyBinding ... spec: - enforcement: warn # optional field + validationActions: [warn, audit] # optional field ``` +The enum options will be: + - `deny`: Validation failures result in a denied request. (default beahvior if field is unset) -- `warn`: Validation failures are reported as warnings to the client. -- `silent`: Validation failures are not reported to clients. Audit annotations - for any failed validations are still included in audit events (see - below). -- (To disable audit annotations, delete the binding) +- `warn`: Validation failures are reported as warnings to the client. (xref: [Admisssion Webhook Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks)) +- `audit`: Validation failures are published as audit events (see below Audit + Annotations section for details). Systems that need to aggregate validation failures may implement an [audit webhook backend](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backend). See below "Audit Events" for details. -For singleton policies, the enforcement field will be set on the policy definition. +For singleton policies, the `validationActions` field will be set on the policy definition. -Metrics will include enforcement so that cluster administrators can monitor the -validation failures of a binding before setting enforcement to `deny`. +Metrics will include validation action so that cluster administrators can monitor the +validation failures of a binding before setting `validationActions` to `deny`. -Supported use cases: +This enables the following use cases: - A policy framework captures enforcement violations during dry run and aggregates them. (E.g. When in DryRun mode, OPA Gatekeeper aggregates @@ -1094,18 +1065,56 @@ Supported use cases: knowing all the details of the policies. During rollout the cluster admin needs a state where the policies being rolled out cannot result in admission rejection. With the enforcement field on bindings, cluster admins can decide - between `silent` and `warn` as the initial state and then transition through - the states until the binding reaches `deny`, monitoring metrics and audit - events along the way. + which initial actions to enable and then add actions until `deny` is enabled. + The cluster admin may monitoring metrics, warnings and audit events along the + way. - A policy framework needs different enforcement actions at different enforcement points. Since this API defines the behavior of only the admission - enforcement point, higher level constructs can map to this enforcement point - as needed. + enforcement point, higher level constructs can map to the actions of this + enforcement point as needed. + +Future work: + +ValidatingAdmissionPolicy resources might, in the future, add a `warnings` field +adjacent to the `validations` and `auditAnnotations` fields to declare +expressions only ever result in warnings. This would allow +ValidatingAdmissionPolicy authors to declare a expression as non-enforcing +regardless of `validationActions`. + +#### Audit Annotations + +`ValidatingAdmissionPolicy` may declare [Audit + annotations](https://github.com/kubernetes/kubernetes/blob/97bbf07d3f3f20332912ee411fdf75ce84425e28/staging/src/k8s.io/api/admission/v1/types.go#L142) + in the policy definition. E.g.: + +```yaml +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +... +spec: + ... + validations: + - expression: + auditAnnotations: + - key: "my-audit-key" + valueExpression: +``` + +The published annotation key will be of the form `/` and will be validated as a +[QualifiedName](https://github.com/kubernetes/kubernetes/blob/dfa4143086bf504c6c72d5eee8a2210b8ed41b9a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L43). + +The validation rule will be: `len(key) < QualifierName.maxLength - len(policy +name) - 1` to accommodate the `/` audit annotation key format. + +If `valueExpression` returns a string, the audit annotation is published. If +`valueExpression` returns null, the audit annotation is omitted. No other return +types will be supported. #### Audit Events -All audit event keys are prefixed by -`//`. +All audit event keys are prefixed by `/`. At Metadata audit level or higher, when a validating admission binding fails any validation expression, details are included in the audit annotations @@ -1117,7 +1126,7 @@ for the audit event under the key `validation_failures`. E.g.: "kind": "Event", "apiVersion": "audit.k8s.io/v1", "annotations": { - "mypolicy.mygroup.example.com/mybinding.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"deny\"}" + "mypolicy.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"deny\", \"binding\": \"mybinding.mygroup.example.com\"}" # other annotations ... } @@ -1135,7 +1144,7 @@ are included with the key provided. E.g.: "kind": "Event", "apiVersion": "audit.k8s.io/v1", "annotations": { - "mypolicy.mygroup.example.com/mybinding.mygroup.example.com/myauditkey": "my audit value" + "mypolicy.mygroup.example.com/myauditkey": "my audit value" # other annotations ... } From 630dd6266b227ecb9c6d0ff1fd2ca6b727b9291e Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Thu, 2 Feb 2023 17:53:03 -0500 Subject: [PATCH 3/8] Apply feedback --- .../3488-cel-admission-control/README.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index 3c18e3c4c36..cbe113e0208 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1043,6 +1043,7 @@ The enum options will be: - `warn`: Validation failures are reported as warnings to the client. (xref: [Admisssion Webhook Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks)) - `audit`: Validation failures are published as audit events (see below Audit Annotations section for details). +- `log`: The apiserver handling the admission request logs the validation failure. Systems that need to aggregate validation failures may implement an [audit webhook @@ -1075,11 +1076,16 @@ This enables the following use cases: Future work: -ValidatingAdmissionPolicy resources might, in the future, add a `warnings` field -adjacent to the `validations` and `auditAnnotations` fields to declare -expressions only ever result in warnings. This would allow -ValidatingAdmissionPolicy authors to declare a expression as non-enforcing -regardless of `validationActions`. +- ValidatingAdmissionPolicy resources might, in the future, add a `warnings` + field adjacent to the `validations` and `auditAnnotations` fields to declare + expressions only ever result in warnings. This would allow + ValidatingAdmissionPolicy authors to declare a expression as non-enforcing + regardless of `validationActions`. + +- ValidatingAdmissionPolicy resources, might, in the future, offer per-expression + enforcement actions (instead of a separate `warnings` field) and combine these + enforcement actions with the ValidatingAdmissionPolicyBinding enforcement action + to determine the effective enforcement. #### Audit Annotations From 87615fcbaff79d68482e279a420747bf3f7c1cf3 Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Fri, 3 Feb 2023 18:28:28 -0500 Subject: [PATCH 4/8] Apply feedback --- .../3488-cel-admission-control/README.md | 27 ++++++++++++------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index cbe113e0208..c5b6a8b034c 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1033,17 +1033,21 @@ apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicyBinding ... spec: - validationActions: [warn, audit] # optional field + validationActions: [Warn, Audit] # required field ``` The enum options will be: -- `deny`: Validation failures result in a denied request. (default beahvior if - field is unset) -- `warn`: Validation failures are reported as warnings to the client. (xref: [Admisssion Webhook Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks)) -- `audit`: Validation failures are published as audit events (see below Audit +- `Deny`: Validation failures result in a denied request. +- `Warn`: Validation failures are reported as warnings to the client. (xref: [Admisssion Webhook Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks)) +- `Audit`: Validation failures are published as audit events (see below Audit Annotations section for details). -- `log`: The apiserver handling the admission request logs the validation failure. +- `Log`: The apiserver handling the admission request logs the validation failure. + +If, in the future, `ValidatingAdmissionPolicy` also introduces enforcement +action fields, this `validationActions` field on +`ValidatingAdmissionPolicyBinding` will specify the "maximum" enforcement (at +most the enforcement will be what `validationActions` specifies). Systems that need to aggregate validation failures may implement an [audit webhook @@ -1053,7 +1057,7 @@ below "Audit Events" for details. For singleton policies, the `validationActions` field will be set on the policy definition. Metrics will include validation action so that cluster administrators can monitor the -validation failures of a binding before setting `validationActions` to `deny`. +validation failures of a binding before setting `validationActions` to `Deny`. This enables the following use cases: @@ -1066,7 +1070,7 @@ This enables the following use cases: knowing all the details of the policies. During rollout the cluster admin needs a state where the policies being rolled out cannot result in admission rejection. With the enforcement field on bindings, cluster admins can decide - which initial actions to enable and then add actions until `deny` is enabled. + which initial actions to enable and then add actions until `Deny` is enabled. The cluster admin may monitoring metrics, warnings and audit events along the way. - A policy framework needs different enforcement actions at different @@ -1103,9 +1107,12 @@ spec: - expression: auditAnnotations: - key: "my-audit-key" - valueExpression: + valueExpression: ``` +`auditAnnotations` are independent of `validations`. A `ValidatingAdmissionPolicy` +may contain only `validations`, only `auditAnnotations` or both. + The published annotation key will be of the form `/` and will be validated as a [QualifiedName](https://github.com/kubernetes/kubernetes/blob/dfa4143086bf504c6c72d5eee8a2210b8ed41b9a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L43). @@ -1132,7 +1139,7 @@ for the audit event under the key `validation_failures`. E.g.: "kind": "Event", "apiVersion": "audit.k8s.io/v1", "annotations": { - "mypolicy.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"deny\", \"binding\": \"mybinding.mygroup.example.com\"}" + "mypolicy.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"Deny\", \"binding\": \"mybinding.mygroup.example.com\"}" # other annotations ... } From 49a31f05e19e8c23f7e9967ece166a8bc09a37ae Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Tue, 7 Feb 2023 15:18:28 -0500 Subject: [PATCH 5/8] Apply feedback --- .../3488-cel-admission-control/README.md | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index c5b6a8b034c..fc29ade089e 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1042,19 +1042,19 @@ The enum options will be: - `Warn`: Validation failures are reported as warnings to the client. (xref: [Admisssion Webhook Warnings](https://kubernetes.io/blog/2020/09/03/warnings/#admission-webhooks)) - `Audit`: Validation failures are published as audit events (see below Audit Annotations section for details). -- `Log`: The apiserver handling the admission request logs the validation failure. If, in the future, `ValidatingAdmissionPolicy` also introduces enforcement -action fields, this `validationActions` field on -`ValidatingAdmissionPolicyBinding` will specify the "maximum" enforcement (at -most the enforcement will be what `validationActions` specifies). +action fields, this effective enforcement will be the set intersection of the +the policy enforcement actions and the binding enforcement actions. Systems that need to aggregate validation failures may implement an [audit webhook backend](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#webhook-backend). See below "Audit Events" for details. -For singleton policies, the `validationActions` field will be set on the policy definition. +For singleton policies, since there is no separate binding resource, the +`validationActions` field will be set on the policy definition in the same way +that other binding fields. Metrics will include validation action so that cluster administrators can monitor the validation failures of a binding before setting `validationActions` to `Deny`. @@ -1086,10 +1086,12 @@ Future work: ValidatingAdmissionPolicy authors to declare a expression as non-enforcing regardless of `validationActions`. -- ValidatingAdmissionPolicy resources, might, in the future, offer per-expression - enforcement actions (instead of a separate `warnings` field) and combine these - enforcement actions with the ValidatingAdmissionPolicyBinding enforcement action - to determine the effective enforcement. +- ValidatingAdmissionPolicy resources, might, in the future, offer + per-expression enforcement actions (instead of a separate `warnings` field) + and combine these enforcement actions with the + ValidatingAdmissionPolicyBinding enforcement action to determine the effective + enforcement. This would be designed to simplify the workflow required to add + or update expression on an existing ValidatingAdmissionPolicy. #### Audit Annotations @@ -1129,9 +1131,10 @@ types will be supported. All audit event keys are prefixed by `/`. -At Metadata audit level or higher, when a validating admission binding fails any -validation expression, details are included in the audit annotations -for the audit event under the key `validation_failures`. E.g.: +At Metadata audit level or higher, when a validating admission binding fails, +and the binding's `validationActions` includes `Audit`, any validation +expression, details are included in the audit annotations for the audit event +under the key `validation_failures`. E.g.: ```yaml # the audit event recorded @@ -1139,7 +1142,7 @@ for the audit event under the key `validation_failures`. E.g.: "kind": "Event", "apiVersion": "audit.k8s.io/v1", "annotations": { - "mypolicy.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"Deny\", \"binding\": \"mybinding.mygroup.example.com\"}" + "ValidatingAdmissionPolicy/mypolicy.mygroup.example.com/validation_failure": "{\"expression\": 1, \"message\": \"x must be greater than y\", \"enforcement\": \"Deny\", \"binding\": \"mybinding.mygroup.example.com\"}" # other annotations ... } @@ -1157,7 +1160,7 @@ are included with the key provided. E.g.: "kind": "Event", "apiVersion": "audit.k8s.io/v1", "annotations": { - "mypolicy.mygroup.example.com/myauditkey": "my audit value" + "ValidatingAdmissionPolicy/mypolicy.mygroup.example.com/myauditkey": "my audit value" # other annotations ... } From 4d8fa0eda2bafd398e59a492ce47c23a07b9e2b4 Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Thu, 9 Feb 2023 09:15:40 -0500 Subject: [PATCH 6/8] Update keps/sig-api-machinery/3488-cel-admission-control/README.md Co-authored-by: Daniel Smith --- keps/sig-api-machinery/3488-cel-admission-control/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index fc29ade089e..e55c2e989f7 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1044,7 +1044,7 @@ The enum options will be: Annotations section for details). If, in the future, `ValidatingAdmissionPolicy` also introduces enforcement -action fields, this effective enforcement will be the set intersection of the +action fields, this effective enforcement will be the set to the intersection of the the policy enforcement actions and the binding enforcement actions. Systems that need to aggregate validation failures may implement an [audit From 6a221773a19c3993ffd1c0d9e653e17fd6a25cbf Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Thu, 9 Feb 2023 09:15:52 -0500 Subject: [PATCH 7/8] Update keps/sig-api-machinery/3488-cel-admission-control/README.md Co-authored-by: Daniel Smith --- keps/sig-api-machinery/3488-cel-admission-control/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index e55c2e989f7..2ce75690433 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1054,7 +1054,7 @@ below "Audit Events" for details. For singleton policies, since there is no separate binding resource, the `validationActions` field will be set on the policy definition in the same way -that other binding fields. +that other binding fields are. Metrics will include validation action so that cluster administrators can monitor the validation failures of a binding before setting `validationActions` to `Deny`. From e7fe237dcd5ba66b407a78976237c2ec3823ac55 Mon Sep 17 00:00:00 2001 From: Joe Betz Date: Thu, 9 Feb 2023 09:20:52 -0500 Subject: [PATCH 8/8] Clarify that audit annotations are independent of validationActions --- keps/sig-api-machinery/3488-cel-admission-control/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md index 2ce75690433..58a36af6311 100644 --- a/keps/sig-api-machinery/3488-cel-admission-control/README.md +++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md @@ -1115,6 +1115,9 @@ spec: `auditAnnotations` are independent of `validations`. A `ValidatingAdmissionPolicy` may contain only `validations`, only `auditAnnotations` or both. +Auudit annotations are recorded regardless of whether a +ValidatingAdmissionPolicyBinding's `validationActions` include `Audit`. + The published annotation key will be of the form `/` and will be validated as a [QualifiedName](https://github.com/kubernetes/kubernetes/blob/dfa4143086bf504c6c72d5eee8a2210b8ed41b9a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L43).