search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
191 stars 33 forks source link

Validate PolicyGroup members name #876

Closed fabriziosestito closed 1 month ago

fabriziosestito commented 1 month ago

Is your feature request related to a problem?

Policy group members will be bound to functions with the same name when evaluating a CEL expression. Therefore, policy member's names should follow the same validation rules as CEL names.

Solution you'd like

Add a validation step to validate policy member names.

Alternatives you've considered

No response

Anything else?

No response

fabriziosestito commented 1 month ago

@jvanz this could be helpful: https://github.com/kubewarden/cel-policy/pull/83#discussion_r1751393241

jvanz commented 1 month ago

@jvanz this could be helpful: kubewarden/cel-policy#83 (comment)

Thanks! I was reading the code. It's a good starting point. However, I think we cannot use that regex because it's meant to escape the CEL expressions, not to check if it's a valid identifier. For example, that regex is used to identify the dot in expressions like a.b. Therefore, if we use it, we will allow policy names with dots, which is not supported. Consequently, I've written another regex based on the policy definition. Additionally, I've decided to use a set to store the keywords reserved by the CEL policy because it matches the policy syntax.