Closed flavio closed 2 years ago
Let me share the initial README version for review:
The environment-variable-policy can be used to inspect environment variables defined in the resources deployed in the cluster. It's able to validate both variables names and values. The policy allows the users define multiple validation rules. And the resource should pass all the rules to be allowed in the cluster.
Each rule defined in the policy settings is composed by a set operator and set of the environment variable used with the operator against the environment variables from the resources. The rules are evaluated in the order that they are defined. The resource is denied in the first failed evaluated rule. The following yaml is a settings example:
settings:
rules:
- operator: AnyIn
environmentVariables:
- name: "envvar1"
value: "envvar1_value"
- name: "envvar2"
value: "envvar2_value"
The supported operators are:
AnyIn
: at least one of the rules from the rule should be defined in the resourceAllIn
: all the environment variables in the rule should be defined in the resourceAnyNotIn
: the opposite of the AnyIn
. Therefore, if at least one variable from the rule is defined in the resource. It is denied.AllNotIn
: the opposite of the AllIn
. Thus, if all variables from the rule is defined in the resource. It is denied.The environment variables are defined as objects:
- name: "variable name"
value: "variable value"
The name should follow the C_IDENTIFIER standard and the value
field is optional. When it is not define the ""
value is used by default.
It is not allowed define a rule with an empty environmentVariables
list.
In the following example, the resources that do not have least one of the variables will be denied:
settings:
rules:
- operator: AnyIn
environmentVariables:
- name: "envvar1"
- name: "envvar2"
In the following example, the resources that do not have the envvar2
defined will be denied:
settings:
rules:
- operator: AllIn
environmentVariables:
- name: "envvar2"
value: ""
In the following example, the resources that have the envvar3
or envvar2
defined will be denied:
settings:
rules:
- operator: AnytNotIn
environmentVariables:
- name: "envvar2"
value: "envvar2_value"
- name: "envvar3"
In the following example, the resources that have all the envvar3
and envvar4
defined will be denied:
settings:
rules:
- operator: AllNotIn
environmentVariables:
- name: "envvar3"
value: "envvar3_value"
- name: "envvar4"
value: "envvar4_value"
@kubewarden/kubewarden-developers, I still need to write the docs about envvar from configmaps. But I think you can start review it for the basic info.
FYI: I've already started to write the policy.
And the resource should pass all the rules to be allowed in the cluster.
I would write:
And the resource must pass all the rules to be allowed in the cluster.
But I'm not a native speaker
Go ahead with the implementation phase, I have some other fixes for the README, but I'll comment on the PR
Write a Kubewarden policy to validate the environment variables. The policy should be able to reject resources that has or not a some environment variable as well as validate if the variables have some values.