acpana
commented
8 months ago hey @skaven81 thanks for opening this. It sounds like this is a dupe of https://github.com/open-policy-agent/gatekeeper/issues/1664
Open skaven81 opened 8 months ago
acpana
commented
8 months ago hey @skaven81 thanks for opening this. It sounds like this is a dupe of https://github.com/open-policy-agent/gatekeeper/issues/1664
skaven81
commented
8 months ago Sort of...#1664 asks to make the version optional. I'd like to see all the fields made optional (though I would understand if Gatekeeper rejected [group: *, version: *, kind: *] as that would likely be a mistake).
But there are absolutely use-cases where I'd want to sync in all resources of a given API group, or maybe all resources that have the same kind (even if they're in different API groups, such as the different iterations of Ingress a while back).
So I'd say my request is a superset of #1664, not a dupe.
stale[bot]
commented
6 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
skaven81
commented
6 months ago Bumping as this is not stale
stale[bot]
commented
4 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
skaven81
commented
4 months ago Bumping as not stale
maxsmythe
commented
4 months ago @skaven81 does the comment in https://github.com/open-policy-agent/gatekeeper/issues/1664#issuecomment-1524089910 address the pain point you're seeing?
Basically, if there was some way to suss out what resources constraint templates require and sync those (and only those) would that moot the issue?
skaven81
commented
4 months ago Yes, I think that sums it up ... mostly. The "durability over upgrades" is of course one of the issues. But that only addresses the apiVersion part. The group is also important to have wildcard flexibility (arguably for the same reason). The Ingress resource changed groups mid-stream from extensions.k8s.io to networking.k8s.io, and so when that change happened, I would have needed to update the Config to ensure Ingresses kept syncing. In some cases, at the cluster admin's discretion, it should be possible to tell Gatekeeper to sync all resources that match a given kind, or ALL the kinds in a given group.
I just want that flexibility and to not be tied into an arbitrary model of GVK specifications when ultimately all we're doing with syncOnly is composing a list. And it's frustrating to not have tools like wildcards available for all the fields when building a list like this.
stale[bot]
commented
2 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
skaven81
commented
2 months ago Not stale
stale[bot]
commented
1 week ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
wrdls
commented
1 week ago Not stale
Describe the solution you'd like In the Gatekeeper config resource, the
syncOnlysection requires that resources be fully qualified with a group, version and kind. There are types of resources (Gatekeeper Constraints come to mind) where one or more of these values is not known. It is also often the case that multiple versions of resources (such as the various API versions of Ingress resources) are desired to be synced, without needing to explicitly list each one.Currently, specifying wildcards results in an error:
Environment:
kubectl version):version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}