Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: validate resources targeted by AdmissionPolicy #454

Open
flavio opened this issue May 25, 2023 · 0 comments
Open

Feature Request: validate resources targeted by AdmissionPolicy #454

flavio opened this issue May 25, 2023 · 0 comments
Labels
kind/enhancement

Comments

@flavio
Copy link
Member

flavio commented May 25, 2023
edited
Loading

Is your feature request related to a problem?

AdmissionPolicy can only listen for events happening inside of a specific Namespace, the one where they are deployed.

It does not make sense to deploy a AdmissionPolicy that watches cluster-wide resources (like Namespace, PersistentVolume,...) since the policy will never be triggered.

Solution you'd like

The controller also provides an admission webhook that validates our own CRDs. We should implement a new validation for the AdmissionPolicy that rejects policies that are targeting cluster-wide resources.

The information about whether a Kubernetes resource is cluster-wide or namespaced can be obtained by querying the Kubernetes API

Alternatives you've considered

No response

Anything else?

Kinda related with kubewarden/kwctl#503
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Projects
Kubewarden
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flavio @jvanz