Mutation Conditionals - Can you give an example for "value test" using assignIf

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes

https://open-policy-agent.github.io/gatekeeper/

Apache License 2.0

3.63k stars 743 forks source link

Mutation Conditionals - Can you give an example for "value test" using assignIf #1283

Closed sanjaygopinath89 closed 3 years ago

sanjaygopinath89 commented 3 years ago

We are trying to add new env variable to a deployment based on annotation value . So we need to use "value test" to specify the "condition" to add the env using "Assign"

Any example on mutation with "value tests" condition ..? Environment:

Gatekeeper version: 3.4.4
Kubernetes version: (use kubectl version):

maxsmythe commented 3 years ago

Is there any chance the annotation could be changed to a label? Then you could use match criteria to conditionally assign:

apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
   name: example
spec:
   applyTo:
      - groups: [""]
        versions: ["v1"]
        kinds: ["Pod"]
   match:
      labelSelector:
         matchLabels:
            "should-mutate": "yes"
   location: "spec.somewhere"
   parameters:
      assign:
         value: "something"

If the switch can't be a label, this may be similar to https://github.com/open-policy-agent/gatekeeper/issues/1274#issuecomment-828883528 where we need to be careful about not providing ways for users to write mutations in such a way that they recurse infinitely and never converge.

Because annotations are metadata, maybe we could treat them specially, just like labels. However, because annotations are unstructured, it's not clear to me how we could reliably match against them.

sanjaygopinath89 commented 3 years ago

@maxsmythe

So currently gatekeeper mutation dont support "match" with "annotation" rt ..? Is there a plan to support it in future ..?
The below example will add an env variable (currently I am doing it with label selector to test it ), is there a way to update a set of env variable(5 env variables ) together with a single policy ..? ` apiVersion: mutations.gatekeeper.sh/v1alpha1 kind: Assign metadata: name: testmy-policy namespace: default spec: applyTo:
- groups: [""] kinds: ["Pod"] versions: ["v1"] match: scope: Namespaced kinds:
- apiGroups: [""] kinds: ["Pod"] labelSelector: matchLabels: "add_app_env_var": "enable" namespaces: ["my-namespace"] location: "spec.containers[name:].env[name:NEW_ENV_VAR]" parameters: assign: value: name: "NEW_ENV_VAR" value: "10" `

maxsmythe commented 3 years ago

Likely not because annotations are schemaless, so there is no way to consistently interpret them. I imagine this is the same reason why you cant use them to select resources in kubectl
If you are okay with clobbering all environment variables, you can set it at the `spec.containers[name:something].env level. Otherwise, not currently. It might be useful to have a "meta mutator" that allows setting multiple mutators atomically in the same resource, but that is non-trivial to implement, so probably would come after a mutation GA.

sanjaygopinath89 commented 3 years ago

Thanks @maxsmythe for giving the details.

maxsmythe commented 3 years ago

closing this, feel free to re-open if there is any follow-up needed.