From 35a3ea298e8ed0863235c52dbdef73a730aece43 Mon Sep 17 00:00:00 2001
From: Fabrizio Sestito <fabrizio.sestito@suse.com>
Date: Tue, 18 Jun 2024 12:45:24 +0200
Subject: [PATCH] docs: add context-aware example

Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
---
 rfc/0020-policy-group.md | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md
index 3aa2767..0ffe022 100644
--- a/rfc/0020-policy-group.md
+++ b/rfc/0020-policy-group.md
@@ -57,7 +57,7 @@ spec:
       operations:
         - CREATE
         - UPDATE
-
+  backgroundAudit: true
   policies:
     - name: sigstore_pgp
       module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
@@ -84,6 +84,40 @@ spec:
   message: "The policy group is rejected."
 ```
 
+### Audit
+
+Similar to the `AdmissionPolicy` and `ClusterAdmissionPolicy` CRDs, the `backgroundAudit` field will be used to specify if the policy group should be used or skipped when performing audit checks.
+
+### Context-aware rules
+
+The `AdmissionPolicyGroup` and `ClusterAdmissionPolicyGroup` CRDs support context-aware capabilities.
+The CRD will have [contextAwareResource](https://docs.kubewarden.io/reference/CRDs#contextawareresource) field to specify the resources tha the policy group si allowed to access at evaluation time.
+Note that the `contextAwareResource` field will be global for the policy group and will not be specified for each policy in the group.
+
+Example:
+
+````yaml
+apiVersion: policies.kubewarden.io/v1
+kind: ClusterAdmissionPolicyGroup # or AdmissionPolicyGroup
+metadata:
+  name: context-aware-group
+spec:
+    rules:
+      - apiGroups: [""]
+        apiVersions: ["v1"]
+        resources: ["pods"]
+        operations:
+            - CREATE
+            - UPDATE
+    policies:
+        # policies here
+    contextAwareResource:
+        - apiVersion: "v1"
+          kind: "Pod"
+    expression: "policy_1() && policy_2()"
+    message: "The policy group is rejected."
+```
+
 ### Expression language
 
 We will use [CEL](https://github.com/google/cel-go) as the expression language for the policy groups.
@@ -116,7 +150,7 @@ This is an example of the response that will be returned when the policy group i
     ]
   }
 }
-```
+````
 
 ### Reconciliation