search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.72k stars 764 forks source link

Enable Gatekeeper Rego Packages to be Imported From Outside of Template #3558

Open bravurasteve opened 2 months ago

bravurasteve commented 2 months ago

Describe the solution you'd like Similar to how templates can import a library package defined within the template, allow the template to import a rego package defined outside the template.

e.g. common.rego:

package k8scommonaccess

in_approved_group {
   input.review.userInfo.groups[_] == input.parameters.approved_groups[_}
}

Anything else you would like to add: As more and more templates are created, having to copy/paste the same common rego functions over and over becomes a maintenance nightmare; when/if the common function needs to be modified, having to make the changes in a single rego package file is highly desired over having to make it in multiple template files.

Environment:

maxsmythe commented 1 month ago

I'd suggest creating a pipeline that bakes the shared code into templates, similar to static linking when building a binary. That way shared code does not become a human maintenance burden. Using the libs keyword you cite should make this a fairly trivial pipeline to build.

See the below comment for why dynamically linking code from outside the template at runtime is operationally fraught:

https://github.com/open-policy-agent/gatekeeper/issues/1204#issuecomment-812277798

bravurasteve commented 1 month ago

The problem w/ the pipeline approach is the dependency upon a pipeline which means no way to run/test via command line. Also, I wouldn't characterize the concept of reusable libraries as being dynamically linked since many other languages support the concept and statically link; e.g. Golang, Rust, etc.