Closed brandtkeller closed 1 year ago
Looking to learn from https://github.com/accuknox/kubernetes-cel-validator
I would want to separate the resource "get" logic from this to provide a common interface for OPA/CEL. Which just means using the library to a greater extent than the GetKubernetesResourcePreconditionResult()
function.
As it stands - quite a bit has changed in the kubernetes API's for CEL and using the Library referenced above outright incurs some errors for needing to be pinned to older versions of the library. Would like to evaluate updating the library to see if/how dependencies for current versions could be aligned.
As it stands - CEL has a robust feature set for supporting validation workflows that could allow it to be useful in the auditing/validating domain.
For instance - if we wanted to check that all namespaces (besides exlcuded) had at least 1 peerAuthentication
resource AND that MTLS.mode was set to STRICT
- we could write a CEL expression similar to:
all(namespace in namespaces.allResources:
peerauthentications := kubernetes[namespace].security.istio.io.peerauthentications;
count(peerauthentications) > 0 &&
all(pa in peerauthentications:
pa.spec.mtls.mode == "STRICT"))
CEL ADR has been merged into main
as Proposed
in #71
Further investigation is required and following guidelines for provider introduction will be required for further integration.
Closing this as completed.
Evaluation of CEL (Common Expression Language) as a provider in Lula.