search

kubewarden / policy-hub

A place where to find and discover policies
https://hub.kubewarden.io
3 stars 3 forks source link

Make context-aware policies prominent #45

Closed flavio closed 2 years ago

flavio commented 3 years ago

Some policies can be "context-aware", these policies have context-aware key inside of their JSON definition:

{
  "name": "foo",
  "description": "foo descr",
  "homepage": "https://github.com/kubewarden/foo",
  "author": {
    "name": "Kubewarden devs",
    "homepage": "https://github.com/kubewarden"
  },
  "download": {
    "registry": "ghcr.io/kubewarden/policies/foo:v0.1.8",
    "url": "https://github.com/kubewarden/foo/releases/download/v0.1.8/policy.wasm"
  },
  "keywords": [
    "foo"
  ],
  "resources": [
    "bar"
  ],
  "mutation": false,
  "context-aware": true
}

To be done

flavio commented 3 years ago

In terms of icons, looking here, I think these ones are nice:

Context aware policy NOT context aware policy
CloudDownload CloudOff
Sync SyncDisabled
Wifi WifiOff

I sorted them by preference, the cloud one if my favorite

ncounter commented 3 years ago

In terms of icons, looking here, I think these ones are nice: Context aware policy NOT context aware policy CloudDownload CloudOff Sync SyncDisabled Wifi WifiOff

I sorted them by preference, the cloud one if my favorite

What does context-aware flag represent/what is the meaning in this context? By the name itself and the common known meaning I would propose alternatives:

something like the policy has view/knowledge to take decisions depending on the context . What do you think? Otherwise, the cloud one is my favorite too. Btw, the idea would be to place the new icon closed to the mutation one, would it be ok? In case the flag it's true I'd go for a green or blue color, in case it's false I'd go with dark-gray instead.

kkaempf commented 3 years ago

Everything is 'cloud' these days.

I wonder what 'context-aware' tells the policy user ? Why would a user need to know ? How does a user's behavior change with that knowledge ?

flavio commented 3 years ago

context-aware is a term that was coined by OPA, which features also on different k8s books.

The concept is: a context-aware policy has awareness of other resources already defined inside of the cluster. This is opposed to regular policies which have 0 knowledge of what is going on inside of the cluster, they can only see the incoming object to be evaluated.

Proceeding with my stream of thoughts: regular policies can be seen like in "airplane mode", while context-aware ones are "connected" to the network. Thinking more about that, maybe the sync icons are the best fit :man_shrugging:

kkaempf commented 3 years ago

I'm aware of the meaning of "context-aware". :wink: But I'm not sure if a regular user of a policy needs to know if a policy is context-aware or not.

As a user, I'm interested in the semantics of a policy. What does it check ? Which user-settable parameters does it accept ? etc. I'm (probably) not interested in how the policy implements its checks and how the policy collects its data.

ereslibre commented 3 years ago

As a security-focused user, I would say it is good to show this information clearly. Despite Wasm is already a very safe environment, a user might be interested in only installing policies that are not able to fetch any kind of external information, and only take decisions based on the resource it is evaluating.

ncounter commented 2 years ago

JFYI I forgot to update the status here: the UI part is already implemented and published since June. I'm not sure about the template though, but maybe this can be closed or?

ereslibre commented 2 years ago

Thank you @ncounter. I think we can close this issue. We still have to do the last stretch with context-aware policies.

Let's close this and reopen if necessary.