Closed JaydipGabani closed 4 weeks ago
To-Do list for each policy:
[ ] Add src.cel file for the policy under src/pod-security-policy/<name>/
src.cel
src/pod-security-policy/<name>/
[ ] Modify constraint.tmpl to add CEL engine and move rego under rego engine
constraint.tmpl
targets: - target: admission.k8s.gatekeeper.sh code: - engine: K8sNativeValidation source: {{ file.Read "src/pod-security-policy/<name>/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }} - engine: Rego source: rego: | {{ file.Read "src/pod-security-policy/<name>/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }} libs: - | {{ file.Read "src/pod-security-policy/<name>/lib_exempt_container.rego" | strings.Indent 14 | strings.TrimSuffix "\n" }}
[ ] Bump minor version on constraint.tmpl by updating metadata.gatekeeper.sh/version annotation.
metadata.gatekeeper.sh/version
[ ] Run make generate-all to generate all relavent files
make generate-all
[ ] Run make verify-gator-dockerized POLICY_ENGINE=cel && make verify-gator-dockerized POLICY_ENGINE=rego to test changes in local
make verify-gator-dockerized POLICY_ENGINE=cel && make verify-gator-dockerized POLICY_ENGINE=rego
PSP Policies list to track migration
To-Do list for each policy:
[ ] Add
src.cel
file for the policy undersrc/pod-security-policy/<name>/
[ ] Modify
constraint.tmpl
to add CEL engine and move rego under rego engine[ ] Bump minor version on
constraint.tmpl
by updatingmetadata.gatekeeper.sh/version
annotation.[ ] Run
make generate-all
to generate all relavent files[ ] Run
make verify-gator-dockerized POLICY_ENGINE=cel && make verify-gator-dockerized POLICY_ENGINE=rego
to test changes in localPSP Policies list to track migration