From 66cedd218c74aa09424239aa6c6d2e8a31c6015d Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Thu, 13 Jun 2024 10:17:55 +0200 Subject: [PATCH 01/14] docs(rfc): add group policies RFC Signed-off-by: Fabrizio Sestito --- rfc/0020-group-policies.md | 263 +++++++++++++++++++++++++++++++++++++ 1 file changed, 263 insertions(+) create mode 100644 rfc/0020-group-policies.md diff --git a/rfc/0020-group-policies.md b/rfc/0020-group-policies.md new file mode 100644 index 0000000..df6a8e6 --- /dev/null +++ b/rfc/0020-group-policies.md @@ -0,0 +1,263 @@ +| | | +| :----------- | :------------------------------ | +| Feature Name | Group policies | +| Start Date | Jun 12 2024 | +| Category | feature | +| RFC PR | [fill this in after opening PR] | +| State | **ACCEPTED** | + +# Summary + +A "group policy" is a policy that is composed of other policies. +The policies that are part of a group are evaluated using a boolean expression. +The group policy will not support mutations. + +# Motivation + +[motivation]: #motivation + +The motivation for this feature is to enable users to create complex policies by combining simpler ones. This allows users to avoid the need to create custom policies from scratch and instead leverage existing policies. +This reduces the need to duplicate policy logic across different policies, increases reusability, removes the cognitive load of managing complex policy logic, +and enables the creation of custom policies using a DSL-like configuration. + +## Examples / User Stories + +[examples]: #examples + +- As a user, I want to create a policy that is composed of other policies and is evaluated using a boolean expression. + +# Detailed design + +[design]: #detailed-design + +## Controller and CRDs + +This RFC proposes to add two new CRDs to the Kubewarden controller: + +- `GroupAdmissionPolicy` +- `GroupClusterAdmissionPolicy` + +The CRDs will share most of the fields with the `AdmissionPolicy` and `ClusterAdmissionPolicy` CRDs, respectively. +The main difference is that the `GroupAdmissionPolicy` and `GroupClusterAdmissionPolicy` CRDs will have a list of policies. +Also, the `GroupAdmissionPolicy` and `GroupClusterAdmissionPolicy` CRDs will have a field to specify the boolean expression that will be used to evaluate the policies +and a `message` field to specify the message that will be returned when the group policy is rejected. + +## Example CRD + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicyGroup # or AdmissionPolicyGroup +metadata: + name: pod-image-signatures +spec: + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: + - CREATE + - UPDATE + policies: + - name: sigstore_pgp + module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 + settings: + signatures: + - image: "*" + pubKeys: + - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" + - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" + - name: sigstore_gh_action + module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 + settings: + signatures: + - image: "*" + githubActions: + owner: "kubewarden" + - name: reject_latest_tag + module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12 + settings: + tags: + reject: + - latest + expression: "sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag())" + message: "The group policy is rejected." +``` + +### Expression language + +We will use [CEL](https://github.com/google/cel-go) as the expression language for the group policies. +The main reason for this choice is that CEL is used by the [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) and [matchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) in Kubernetes. + +Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. +The expression field should be a valid CEL expression that evaluates to a boolean value and it will be validated by the Kubewarden controller's webhook. +If the expression evaluates to `true`, the group policy will be considered as `accepted`, otherwise, it will be considered as `rejected`. + +### Message + +The message field will be used to specify the message that will be returned when the group policy is rejected. +The specific policy results will be returned in the `warning` field of the response. + +This is an example of the response that will be returned when the group policy is rejected: + +```json +{ + "apiVersion": "admission.k8s.io/v1", + "kind": "AdmissionReview", + "response": { + "uid": "", + "allowed": false, + "warning": [ + "sigstore_pgp was rejected: the image signature is not valid", + "sigstore_gh_action was accepted", + "latest_tag was rejected: the image tag latest is not allowed" + ] + } +} +``` + +### Reconciliation + +The new CRDs will be reconciled by the Kubewarden controller. +The reconciliation flow is similar to the one used for the `AdmissionPolicy` and `ClusterAdmissionPolicy` resources: + +- when a new `GroupAdmissionPolicy` or `GroupClusterAdmissionPolicy` is created or updated the reconciler changes the configuration of the policy server to include the created/updated policy group +- the reconciler rolls out the policy server deployment +- the reconciler creates or updates the ValidatingWebhookConfiguration pointing to the policy server `validate` endpoint of the policy group + +### Match Conditions + +An interesting use case is to use the group policies in combination with the [matchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) feature. + +By combining the group policies with `matchConditions`, it could be possible to create complex policies that are evaluated only for specific requests. +For instance, it could be possible to build a policy that is evaluated only for requests that match a specific label selector. + +This RFC does not include any modifications to the policy CRDs to accommodate `matchConditions`, as it falls outside the scope of this proposal. + +## Policy server + +The policy settings will be extended to include group policies alongside single policies. + +```yaml +psp-apparmor: # single policy + url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7 + +psp-capabilities: # single policy + url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7 + allowedToMutate: true + settings: + allowed_capabilities: ["*"] + required_drop_capabilities: ["KILL"] + +pod-image-singatures: # group policy + policies: + - name: sigstore_pgp + module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 + settings: + signatures: + - image: "*" + pubKeys: + - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" + - "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----" + - name: sigstore_gh_action + module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 + settings: + signatures: + - image: "*" + githubActions: + owner: "kubewarden" + - name: reject_latest_tag + module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12 + settings: + tags: + reject: + - latest + expression: "sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag())" + message: "The group policy is rejected." +``` + +### Expression evaluation + +Unfortunately, no production-ready CEL library is available for Rust. +To emulate the behavior and the syntax of CEL, we will use [Rhai](https://rhai.rs/), a small, fast, easy-to-use scripting language and evaluation engine that integrates tightly with Rust. + +Rhai has the following features that make it a good candidate for this task: + +- function calls have the same syntax as CEL +- it is easy to embed in a Rust application +- it provides a way to create a [minimal engine](https://rhai.rs/book/engine/raw.html) with a bare minimum set of functionalities +- it does not add a considerable overhead (see [Preliminary benchmark](#preliminary-benchmark)) +- the language supports [syntax customization](https://rhai.rs/book/engine/custom-syntax.html) if needed + +Considering the following expression from the example above: + +```rust +sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag()) +``` + +Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. + +The expression will be evaluated as follows: + +- the `sigstore_pgp` function will be called +- if the result is `true`, the expression will be evaluated as `true` +- if the result is `false`, the `sigstore_gh_action` function will be called +- if the result is `true`, the `latest_tag` function will be called +- if the result is `true`, the expression will be evaluated as `true` + +Note that the `sigstore_gh_action` function will be called only if the `sigstore_pgp` function returns `false`. +Similarly, the `reject_latest_tag` function will be called only if the `sigstore_gh_action` function returns `true`. + +This avoids evaluating all the policies in the group when the result is already known. + +### Settings validation + +When the policy server starts, it will validate the settings of the group policies as well as the single policies. +However, the group policies will have an additional validation step to ensure that the expression is valid and +that evaluates to a boolean value. + +### Handler + +The handler will respond to the `/validate/` endpoint. +There is no need to create a new endpoint for the group policies, and as far as the API is concerned, the group policies will be treated as single policies. + +After the validation step, precompiled policies and group settings will be added to the `EvaluationEnvironment`. +When a validation request is received, if the policy is a group policy, the `EvaluationEnvironment` performs the following steps: + +- create a new Rhai [raw Engine](https://rhai.rs/book/engine/raw.html?highlight=raw%20eng#raw-engine) +- bind native functions to the engine that validate the policy +- call the engine eval method with the expression +- return the result + +Creating a new engine for each request is desirable because it avoids contention and locking of the Engine instance. +This pattern is described in the Rhai book, under the [One Engine Instance Per Call](https://rhai.rs/book/patterns/parallel.html?highlight=one%20engine%20per#one-engine-instance-per-call) section. + +To improve performance, we could consider precompiling the AST of the expression when building the `EvaluationEnvironment`. +Also, we could consider creating a [custom package](https://rhai.rs/book/rust/packages/create.html?highlight=custom%20package#create-a-custom-package) to instantiate the policy function calls only once. + +### Preliminary benchmark + +The following results are based on the [Kubewarden k6 load test](https://github.com/kubewarden/load-testing/tree/k6) using the [psp-apparmor policy](https://github.com/kubewarden/apparmor-psp-policy) + +| | | http_req_duration | +| ------------- | ------------------------ | ----------------- | +| single policy | psp-apparmor | avg=2.02ms | +| group policy | `psp-apparmor() && true` | avg=2.46ms | + +Note that no optimizations were made to the Rhai engine in this POC implementation. + +# Drawbacks + +[drawbacks]: #drawbacks + +- The implementation of the group policies will add complexity to the Kubewarden controller and the policy server. +- The expression language used to evaluate the group policies may not be familiar to all users. +- In the worst case, the group policy evaluation time could be the sum of the evaluation time of all the policies in the group. + This is even worse if the group policy contains context-aware policies that introduce additional overhead. + +# Alternatives + +[alternatives]: #alternatives + +# Unresolved questions + +[unresolved]: #unresolved-questions From ba23fd89a0ac04b00bdb0823c92b04959aa58f49 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:11:09 +0200 Subject: [PATCH 02/14] docs: rename group policies -> policy group Signed-off-by: Fabrizio Sestito --- ...group-policies.md => 0020-policy-group.md} | 45 +++++++++---------- 1 file changed, 22 insertions(+), 23 deletions(-) rename rfc/{0020-group-policies.md => 0020-policy-group.md} (84%) diff --git a/rfc/0020-group-policies.md b/rfc/0020-policy-group.md similarity index 84% rename from rfc/0020-group-policies.md rename to rfc/0020-policy-group.md index df6a8e6..f3fce7a 100644 --- a/rfc/0020-group-policies.md +++ b/rfc/0020-policy-group.md @@ -1,6 +1,6 @@ | | | | :----------- | :------------------------------ | -| Feature Name | Group policies | +| Feature Name | Policy group | | Start Date | Jun 12 2024 | | Category | feature | | RFC PR | [fill this in after opening PR] | @@ -8,9 +8,9 @@ # Summary -A "group policy" is a policy that is composed of other policies. +A "policy group" is a policy that is composed of other policies. The policies that are part of a group are evaluated using a boolean expression. -The group policy will not support mutations. +The policy group will not support mutations. # Motivation @@ -34,12 +34,12 @@ and enables the creation of custom policies using a DSL-like configuration. This RFC proposes to add two new CRDs to the Kubewarden controller: -- `GroupAdmissionPolicy` -- `GroupClusterAdmissionPolicy` +- `AdmissionPolicyGroup` +- `ClusterAdmissionPolicyGroup` The CRDs will share most of the fields with the `AdmissionPolicy` and `ClusterAdmissionPolicy` CRDs, respectively. -The main difference is that the `GroupAdmissionPolicy` and `GroupClusterAdmissionPolicy` CRDs will have a list of policies. -Also, the `GroupAdmissionPolicy` and `GroupClusterAdmissionPolicy` CRDs will have a field to specify the boolean expression that will be used to evaluate the policies +The main difference is that the `AdmissionPolicyGroup` and `ClusterAdmissionPolicyGroup` CRDs will define a list of policies. +Also, the `AdmissionPolicyGroup` and `ClusterAdmissionPolicyGroup` CRDs will have a field to specify the boolean expression that will be used to evaluate the policies and a `message` field to specify the message that will be returned when the group policy is rejected. ## Example CRD @@ -80,12 +80,12 @@ spec: reject: - latest expression: "sigstore_pgp() || (sigstore_gh_action() && reject_latest_tag())" - message: "The group policy is rejected." + message: "The policy group is rejected." ``` ### Expression language -We will use [CEL](https://github.com/google/cel-go) as the expression language for the group policies. +We will use [CEL](https://github.com/google/cel-go) as the expression language for the policy groups. The main reason for this choice is that CEL is used by the [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) and [matchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) in Kubernetes. Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. @@ -94,10 +94,10 @@ If the expression evaluates to `true`, the group policy will be considered as `a ### Message -The message field will be used to specify the message that will be returned when the group policy is rejected. +The message field will be used to specify the message that will be returned when the policy group is rejected. The specific policy results will be returned in the `warning` field of the response. -This is an example of the response that will be returned when the group policy is rejected: +This is an example of the response that will be returned when the policy group is rejected: ```json { @@ -120,22 +120,22 @@ This is an example of the response that will be returned when the group policy i The new CRDs will be reconciled by the Kubewarden controller. The reconciliation flow is similar to the one used for the `AdmissionPolicy` and `ClusterAdmissionPolicy` resources: -- when a new `GroupAdmissionPolicy` or `GroupClusterAdmissionPolicy` is created or updated the reconciler changes the configuration of the policy server to include the created/updated policy group +- when a new `AdmissionPolicyGroup` or `ClusterAdmissionPolicyGroup` is created or updated the reconciler changes the configuration of the policy server to include the created/updated policy group - the reconciler rolls out the policy server deployment - the reconciler creates or updates the ValidatingWebhookConfiguration pointing to the policy server `validate` endpoint of the policy group ### Match Conditions -An interesting use case is to use the group policies in combination with the [matchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) feature. +An interesting use case is to use the policy groups in combination with the [matchConditions](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions) feature. -By combining the group policies with `matchConditions`, it could be possible to create complex policies that are evaluated only for specific requests. +By combining the policy groups with `matchConditions`, it could be possible to create complex policies that are evaluated only for specific requests. For instance, it could be possible to build a policy that is evaluated only for requests that match a specific label selector. This RFC does not include any modifications to the policy CRDs to accommodate `matchConditions`, as it falls outside the scope of this proposal. ## Policy server -The policy settings will be extended to include group policies alongside single policies. +The `policies.yaml` settings file will be extended to include policy groups alongside ordinary policies. ```yaml psp-apparmor: # single policy @@ -211,14 +211,13 @@ This avoids evaluating all the policies in the group when the result is already ### Settings validation -When the policy server starts, it will validate the settings of the group policies as well as the single policies. -However, the group policies will have an additional validation step to ensure that the expression is valid and -that evaluates to a boolean value. +When the policy server starts, it will validate the settings of the policy groups as well as the ordinary policies. +However, the policy groups will have an additional validation step to ensure that the expression is valid and evaluates to a boolean value. ### Handler The handler will respond to the `/validate/` endpoint. -There is no need to create a new endpoint for the group policies, and as far as the API is concerned, the group policies will be treated as single policies. +There is no need to create a new endpoint for the group policies, and as far as the API is concerned, the policy groups will be treated as ordinary policies. After the validation step, precompiled policies and group settings will be added to the `EvaluationEnvironment`. When a validation request is received, if the policy is a group policy, the `EvaluationEnvironment` performs the following steps: @@ -249,10 +248,10 @@ Note that no optimizations were made to the Rhai engine in this POC implementati [drawbacks]: #drawbacks -- The implementation of the group policies will add complexity to the Kubewarden controller and the policy server. -- The expression language used to evaluate the group policies may not be familiar to all users. -- In the worst case, the group policy evaluation time could be the sum of the evaluation time of all the policies in the group. - This is even worse if the group policy contains context-aware policies that introduce additional overhead. +- The implementation of the policy groups will add complexity to the Kubewarden controller and the policy server. +- The expression language used to evaluate the policy groups may not be familiar to all users. +- In the worst case, the policy group evaluation time could be the sum of the evaluation time of all the policies in the group. + This is even worse if the policy group contains context-aware policies that introduce additional overhead. # Alternatives From f3f1226d165dcd45d41e6d5456c30a92b1a1e6a7 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:13:28 +0200 Subject: [PATCH 03/14] docs: fix example CRD indentation Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index f3fce7a..13a44be 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -72,7 +72,7 @@ spec: signatures: - image: "*" githubActions: - owner: "kubewarden" + owner: "kubewarden" - name: reject_latest_tag module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12 settings: From 228b76ff655ed576e1f05f56a54c4c79b33ea51c Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:14:07 +0200 Subject: [PATCH 04/14] docs: add RFC pr link Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 13a44be..4d1c454 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -1,10 +1,10 @@ -| | | -| :----------- | :------------------------------ | -| Feature Name | Policy group | -| Start Date | Jun 12 2024 | -| Category | feature | -| RFC PR | [fill this in after opening PR] | -| State | **ACCEPTED** | +| | | +| :----------- | :---------------------------------------- | +| Feature Name | Policy group | +| Start Date | Jun 12 2024 | +| Category | feature | +| RFC PR | https://github.com/kubewarden/rfc/pull/37 | +| State | **ACCEPTED** | # Summary From b14f0a28d9c3a6e8798afb9100c7893416b1b385 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:27:14 +0200 Subject: [PATCH 05/14] docs: add webhook validation step Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 4d1c454..65b7eb0 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -91,6 +91,8 @@ The main reason for this choice is that CEL is used by the [ValidatingAdmissionP Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. The expression field should be a valid CEL expression that evaluates to a boolean value and it will be validated by the Kubewarden controller's webhook. If the expression evaluates to `true`, the group policy will be considered as `accepted`, otherwise, it will be considered as `rejected`. +Also, the webhook will reject expressions where the combined policies are targeting totally different resources. +For example, `policy_that_eval_ingress() && policy_that_eval_pods()` is not allowed. ### Message From 8574345d11060467dbfaee15b809beb5fbcd1c1d Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:31:35 +0200 Subject: [PATCH 06/14] docs: fix policies.yaml example Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 65b7eb0..36a34cc 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -140,17 +140,17 @@ This RFC does not include any modifications to the policy CRDs to accommodate `m The `policies.yaml` settings file will be extended to include policy groups alongside ordinary policies. ```yaml -psp-apparmor: # single policy +psp-apparmor: url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7 -psp-capabilities: # single policy +psp-capabilities: url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7 allowedToMutate: true settings: allowed_capabilities: ["*"] required_drop_capabilities: ["KILL"] -pod-image-singatures: # group policy +pod-image-signatures: # policy group policies: - name: sigstore_pgp module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 From e2872cbf2735531245eda60962d9e0f785cf5278 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:44:50 +0200 Subject: [PATCH 07/14] docs: add rust CEL library to unresolved questions Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 36a34cc..00a1641 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -262,3 +262,7 @@ Note that no optimizations were made to the Rhai engine in this POC implementati # Unresolved questions [unresolved]: #unresolved-questions + +Unfortuantely, no production-ready CEL library is available for Rust. +Some experimentes were made with [cel-rust](https://github.com/clarkmcc/cel-rust) and [rscel](https://github.com/1BADragon/rscel) +but they do not pass the official compliance tests yet and are not actively developed. From 3a7d5f7ce9890102d46441ac736bf795eb0bfb56 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 08:50:16 +0200 Subject: [PATCH 08/14] docs: add wasm bundle alternative Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 00a1641..9e21fa3 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -259,6 +259,16 @@ Note that no optimizations were made to the Rhai engine in this POC implementati [alternatives]: #alternatives +An alternative to the policy groups could be to create a tool that takes several policies and merges them into a new WASN module. +The new WASM module would embed the original ones and would have a `main` function that takes care of evaluating the expression given by the user. + +This approach has the following drawbacks: + +- Complexity to implement this solution +- The user would require an extra compilation step to create the new WASM module +- The size of the new WASM module would be significantly larger if several policies are embedded +- At runtime, the de-duplication optmization of the policies would be lost, increasing the memory footprint + # Unresolved questions [unresolved]: #unresolved-questions From b37eeac247dca198c89618127812cb47ee4be5d4 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 09:40:06 +0200 Subject: [PATCH 09/14] docs: add validation to unresolved questions Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 9e21fa3..114e4b0 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -273,6 +273,16 @@ This approach has the following drawbacks: [unresolved]: #unresolved-questions -Unfortuantely, no production-ready CEL library is available for Rust. -Some experimentes were made with [cel-rust](https://github.com/clarkmcc/cel-rust) and [rscel](https://github.com/1BADragon/rscel) -but they do not pass the official compliance tests yet and are not actively developed. +- Unfortuantely, no production-ready CEL library is available for Rust. + Some experimentes were made with [cel-rust](https://github.com/clarkmcc/cel-rust) and [rscel](https://github.com/1BADragon/rscel) + but they do not pass the official compliance tests yet and are not actively developed. + +- Furthermore, using two different expression languages in the Kubewarden controller and the policy server could lead to inconsistencies in the validation step. + For instance, it is possibilie that an expression that is valid in the Kubewarden controller is not valid in the policy server. + With the current proposal, this expression `"foo".startsWith("f") && policy_1() || policy_2()` would be valid in the Kubewarden controller but not in the policy server, + since Rhai can be customized to strip down types, standard library functions, and operators that are not needed, keeping only the policy functions and the logical operators. + However, [this issue](https://github.com/google/cel-go/issues/899) hints that CEL could be stripped down to a minimal set of functionalities as well. + +- Running a policy group locally for development or testing purposes should be possible with the `kwctl` tool. + However, implementing this feature means that the `kwctl` tool should be able to run a policy group directly from a CRD definition. + As this feature also applies to ordinary policies, it falls outside the scope of this RFC. From 90b3e7ce94a61047ba7c36fb736a28aac8d918c9 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 10:27:48 +0200 Subject: [PATCH 10/14] docs: fix headings Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 114e4b0..ece7bbb 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -42,7 +42,7 @@ The main difference is that the `AdmissionPolicyGroup` and `ClusterAdmissionPoli Also, the `AdmissionPolicyGroup` and `ClusterAdmissionPolicyGroup` CRDs will have a field to specify the boolean expression that will be used to evaluate the policies and a `message` field to specify the message that will be returned when the group policy is rejected. -## Example CRD +### Example CRD ```yaml apiVersion: policies.kubewarden.io/v1 @@ -57,6 +57,7 @@ spec: operations: - CREATE - UPDATE + policies: - name: sigstore_pgp module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 @@ -235,7 +236,7 @@ This pattern is described in the Rhai book, under the [One Engine Instance Per C To improve performance, we could consider precompiling the AST of the expression when building the `EvaluationEnvironment`. Also, we could consider creating a [custom package](https://rhai.rs/book/rust/packages/create.html?highlight=custom%20package#create-a-custom-package) to instantiate the policy function calls only once. -### Preliminary benchmark +## Preliminary benchmark The following results are based on the [Kubewarden k6 load test](https://github.com/kubewarden/load-testing/tree/k6) using the [psp-apparmor policy](https://github.com/kubewarden/apparmor-psp-policy) From 1cb16034df5269bc8c9978cbed8cc9627fdc62c7 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 12:45:24 +0200 Subject: [PATCH 11/14] docs: add context-aware example Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 45 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index ece7bbb..8ed20d6 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -57,7 +57,7 @@ spec: operations: - CREATE - UPDATE - + backgroundAudit: true policies: - name: sigstore_pgp module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8 @@ -84,6 +84,49 @@ spec: message: "The policy group is rejected." ``` +### Audit + +Similar to the `AdmissionPolicy` and `ClusterAdmissionPolicy` CRDs, the `backgroundAudit` field will be used to specify if the policy group should be used or skipped when performing audit checks. + +### Context-aware rules + +The `AdmissionPolicyGroup` and `ClusterAdmissionPolicyGroup` CRDs support [context-aware](https://docs.kubewarden.io/reference/spec/context-aware-policies) capabilities. +Each policy in a group will accept an optional [contextAwareResources](https://docs.kubewarden.io/reference/CRDs#contextawareresource) field to specify the resources that the policy is allowed to access at evaluation time. + +Example: + +```yaml +apiVersion: policies.kubewarden.io/v1 +kind: ClusterAdmissionPolicyGroup # or AdmissionPolicyGroup +metadata: + name: context-aware-group +spec: + rules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: + - CREATE + - UPDATE + policies: + - name: policy_1 + module: ghcr.io/kubewarden/policies/policy_1:v0.1.0 + contextAwareResources: + - apiVersion: "v1" + kind: "Pod" + settings: + foo: "bar" + - name: policy_2 + module: ghcr.io/kubewarden/policies/policy_2:v0.1.0 + contextAwareResources: + - apiVersion: "v1" + kind: "Namespace" + settings: + foo: "bar" + expression: "policy_1() && policy_2()" + message: "The policy group is rejected." +``` + ### Expression language We will use [CEL](https://github.com/google/cel-go) as the expression language for the policy groups. From 519648e0da8d8bd7e705de96d3089a76268b8794 Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 13:06:08 +0200 Subject: [PATCH 12/14] docs: add raw policy groups paragraph Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 8ed20d6..50603b0 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -279,6 +279,11 @@ This pattern is described in the Rhai book, under the [One Engine Instance Per C To improve performance, we could consider precompiling the AST of the expression when building the `EvaluationEnvironment`. Also, we could consider creating a [custom package](https://rhai.rs/book/rust/packages/create.html?highlight=custom%20package#create-a-custom-package) to instantiate the policy function calls only once. +### Raw policy groups + +The policy server will support [raw policy](https://docs.kubewarden.io/tutorials/writing-policies/wasi/raw-policies) groups out of the box, since the group evaluation logic is implemented in the `EvaluationEnvironment`. +It will be possible to define a policy group with raw policies only, and evaluate the expression by calling the `validate_raw/` endpoint. + ## Preliminary benchmark The following results are based on the [Kubewarden k6 load test](https://github.com/kubewarden/load-testing/tree/k6) using the [psp-apparmor policy](https://github.com/kubewarden/apparmor-psp-policy) From 0253ad15a7dafe1067891eaae66c7ddbef25b43a Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Tue, 18 Jun 2024 13:33:26 +0200 Subject: [PATCH 13/14] docs: add dx related story/example Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 50603b0..4ca7918 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -25,6 +25,7 @@ and enables the creation of custom policies using a DSL-like configuration. [examples]: #examples - As a user, I want to create a policy that is composed of other policies and is evaluated using a boolean expression. +- As a user, I want to develop and test a policy group with the help of kwctl. # Detailed design @@ -284,6 +285,12 @@ Also, we could consider creating a [custom package](https://rhai.rs/book/rust/pa The policy server will support [raw policy](https://docs.kubewarden.io/tutorials/writing-policies/wasi/raw-policies) groups out of the box, since the group evaluation logic is implemented in the `EvaluationEnvironment`. It will be possible to define a policy group with raw policies only, and evaluate the expression by calling the `validate_raw/` endpoint. +## Scaffolding + +The `kwctl` tool will be extended to support the scaffolding of policy groups. +Running a policy or a policy group directly from a CRD definition through `kwctl` is a common use case, +but the implementation of this feature falls outside the scope of this RFC. + ## Preliminary benchmark The following results are based on the [Kubewarden k6 load test](https://github.com/kubewarden/load-testing/tree/k6) using the [psp-apparmor policy](https://github.com/kubewarden/apparmor-psp-policy) From 3febb08a2a451c70a6573b8ebc7858490a71a2bf Mon Sep 17 00:00:00 2001 From: Fabrizio Sestito Date: Thu, 20 Jun 2024 13:52:21 +0200 Subject: [PATCH 14/14] docs: fix spelling Signed-off-by: Fabrizio Sestito --- rfc/0020-policy-group.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rfc/0020-policy-group.md b/rfc/0020-policy-group.md index 4ca7918..afa2dae 100644 --- a/rfc/0020-policy-group.md +++ b/rfc/0020-policy-group.md @@ -136,7 +136,7 @@ The main reason for this choice is that CEL is used by the [ValidatingAdmissionP Each policy in the group will be represented as a function call in the expression with the same name as the policy defined in the group. The expression field should be a valid CEL expression that evaluates to a boolean value and it will be validated by the Kubewarden controller's webhook. If the expression evaluates to `true`, the group policy will be considered as `accepted`, otherwise, it will be considered as `rejected`. -Also, the webhook will reject expressions where the combined policies are targeting totally different resources. +Also, the webhook will reject expressions where the combined policies are targeting different resources. For example, `policy_that_eval_ingress() && policy_that_eval_pods()` is not allowed. ### Message @@ -282,8 +282,8 @@ Also, we could consider creating a [custom package](https://rhai.rs/book/rust/pa ### Raw policy groups -The policy server will support [raw policy](https://docs.kubewarden.io/tutorials/writing-policies/wasi/raw-policies) groups out of the box, since the group evaluation logic is implemented in the `EvaluationEnvironment`. -It will be possible to define a policy group with raw policies only, and evaluate the expression by calling the `validate_raw/` endpoint. +The policy server will support [raw policy](https://docs.kubewarden.io/tutorials/writing-policies/wasi/raw-policies) groups out of the box since the group evaluation logic is implemented in the `EvaluationEnvironment`. +It will be possible to define a policy group with raw policies only and evaluate the expression by calling the `validate_raw/` endpoint. ## Scaffolding @@ -320,21 +320,21 @@ The new WASM module would embed the original ones and would have a `main` functi This approach has the following drawbacks: -- Complexity to implement this solution +- The complexity of implementing this solution - The user would require an extra compilation step to create the new WASM module -- The size of the new WASM module would be significantly larger if several policies are embedded -- At runtime, the de-duplication optmization of the policies would be lost, increasing the memory footprint +- The size of the new WASM module would be significantly larger if several policies were embedded +- At runtime, the de-duplication optimization of the policies would be lost, increasing the memory footprint # Unresolved questions [unresolved]: #unresolved-questions -- Unfortuantely, no production-ready CEL library is available for Rust. - Some experimentes were made with [cel-rust](https://github.com/clarkmcc/cel-rust) and [rscel](https://github.com/1BADragon/rscel) +- Unfortunately, no production-ready CEL library is available for Rust. + Some experiments were made with [cel-rust](https://github.com/clarkmcc/cel-rust) and [rscel](https://github.com/1BADragon/rscel) but they do not pass the official compliance tests yet and are not actively developed. - Furthermore, using two different expression languages in the Kubewarden controller and the policy server could lead to inconsistencies in the validation step. - For instance, it is possibilie that an expression that is valid in the Kubewarden controller is not valid in the policy server. + For instance, it is possible that an expression that is valid in the Kubewarden controller is not valid in the policy server. With the current proposal, this expression `"foo".startsWith("f") && policy_1() || policy_2()` would be valid in the Kubewarden controller but not in the policy server, since Rhai can be customized to strip down types, standard library functions, and operators that are not needed, keeping only the policy functions and the logical operators. However, [this issue](https://github.com/google/cel-go/issues/899) hints that CEL could be stripped down to a minimal set of functionalities as well.