search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
191 stars 33 forks source link

Write a policy to validate environment variable. #313

Closed flavio closed 2 years ago

flavio commented 2 years ago

Write a Kubewarden policy to validate the environment variables. The policy should be able to reject resources that has or not a some environment variable as well as validate if the variables have some values.

jvanz commented 2 years ago

Let me share the initial README version for review:

environment-variable-policy

The environment-variable-policy can be used to inspect environment variables defined in the resources deployed in the cluster. It's able to validate both variables names and values. The policy allows the users define multiple validation rules. And the resource should pass all the rules to be allowed in the cluster.

Settings

Each rule defined in the policy settings is composed by a set operator and set of the environment variable used with the operator against the environment variables from the resources. The rules are evaluated in the order that they are defined. The resource is denied in the first failed evaluated rule. The following yaml is a settings example:

settings:
  rules:
    - operator: AnyIn
      environmentVariables:
        - name: "envvar1"
          value: "envvar1_value"
        - name: "envvar2"
          value: "envvar2_value"

The supported operators are:

The environment variables are defined as objects:

- name: "variable name"
  value: "variable value"

The name should follow the C_IDENTIFIER standard and the value field is optional. When it is not define the "" value is used by default.

It is not allowed define a rule with an empty environmentVariables list.

Examples

In the following example, the resources that do not have least one of the variables will be denied:

settings:
  rules:
    - operator: AnyIn
      environmentVariables:
        - name: "envvar1"
        - name: "envvar2"

In the following example, the resources that do not have the envvar2 defined will be denied:

settings:
  rules:
    - operator: AllIn 
      environmentVariables:
        - name: "envvar2"
          value: ""

In the following example, the resources that have the envvar3 or envvar2 defined will be denied:

settings:
  rules:
    - operator: AnytNotIn
      environmentVariables:
        - name: "envvar2"
          value: "envvar2_value"
        - name: "envvar3"

In the following example, the resources that have all the envvar3 and envvar4 defined will be denied:

settings:
  rules:
    - operator: AllNotIn
      environmentVariables:
        - name: "envvar3"
          value: "envvar3_value"
        - name: "envvar4"
          value: "envvar4_value"
jvanz commented 2 years ago

@kubewarden/kubewarden-developers, I still need to write the docs about envvar from configmaps. But I think you can start review it for the basic info.

FYI: I've already started to write the policy.

flavio commented 2 years ago

And the resource should pass all the rules to be allowed in the cluster.

I would write:

And the resource must pass all the rules to be allowed in the cluster.

But I'm not a native speaker

flavio commented 2 years ago

Go ahead with the implementation phase, I have some other fixes for the README, but I'll comment on the PR