RFC: how to make Pod specific policies work against higher-order resources #23

flavio · 2023-08-07T12:30:34Z

Many policies target the Pod resource, however, creating this resource in a direct way is considered a Kubernetes anti-pattern. Most of the time, Pod resources are created by higher-order resources like Deployment, DaemonSet, CronJob, ReplicaSet,...

Currently, our SDKs provide APIs that allow the policy author to make his policy work also against the most common Kubernetes resources that have Pod objects specified inside of them.
However, this is extra work that has to be done on a per-policy basis.

On the other hand, Kyverno has the concept of auto-gen rules which makes the whole process simpler.

It would be useful to create a RFC that describes how we could create a Kubewarden feature similar to the auto-gen rules of Kyverno.

flavio · 2023-08-07T12:31:58Z

@adnanhashmi09 is interested in working on this RFC

flavio changed the title ~~RFC: how to make Pod specific policies work against high order resources~~ RFC: how to make Pod specific policies work against higher-order resources Aug 7, 2023

flavio mentioned this issue Aug 7, 2023

Update some of our policies that are targeting Pod, to make them process higher level objects kubewarden/kubewarden-controller#282

Open

19 tasks

adnanhashmi09 mentioned this issue Aug 7, 2023

Update policy volumes-psp-policy to target high level resources kubewarden/volumes-psp-policy#11

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RFC: how to make Pod specific policies work against higher-order resources #23

RFC: how to make Pod specific policies work against higher-order resources #23

flavio commented Aug 7, 2023

flavio commented Aug 7, 2023

RFC: how to make Pod specific policies work against higher-order resources #23

RFC: how to make Pod specific policies work against higher-order resources #23

Comments

flavio commented Aug 7, 2023

flavio commented Aug 7, 2023