Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OPA examples on pathType restrictions #9992

Merged
merged 1 commit into from
May 25, 2023
Merged

Add OPA examples on pathType restrictions #9992

merged 1 commit into from
May 25, 2023

Conversation

rikatz
Copy link
Contributor

@rikatz rikatz commented May 24, 2023

What this PR does / why we need it:

With the upcoming restriction on pathType and usages, it is good to have an example on restrictions using OPA

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 24, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot requested a review from puerco May 24, 2023 13:49
@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-priority size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 24, 2023
@longwuyuan
Copy link
Contributor

Do you need to add a example for "should allow" for pathType "Prefix". Or one example for "should allow" is enough. I don't know so asking.

@rikatz
Copy link
Contributor Author

rikatz commented May 24, 2023

I don't think so, the idea here is just to teach people how they can use OPA to block a specific pathType. We have a lot of cases, like blocking characters, allowing pathType if an annotation exists, etc and I don't want to cover all of them, just let them know they can use OPA to protect the requests

@longwuyuan
Copy link
Contributor

Now I need to check if Kyverno use OPA at all. Someone may ask.

@rikatz
Copy link
Contributor Author

rikatz commented May 24, 2023

We dont need to cover all cases, this is an example. We need people to be aware they need to apply policies :)

@longwuyuan
Copy link
Contributor

We dont need to cover all cases, this is an example. We need people to be aware they need to apply policies :)

ok :-)

tao12345666333
tao12345666333 approved these changes May 24, 2023
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

But I think we should add some text description, like the description in this PR.

Users can have a clearer understanding of the applicable scenarios of this example

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 24, 2023
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 24, 2023
@rikatz rikatz force-pushed the add-admission-examples branch from 1035322 to 865b793 Compare May 25, 2023 12:40
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 25, 2023
tao12345666333
tao12345666333 approved these changes May 25, 2023
View reviewed changes
Copy link
Member

@tao12345666333 tao12345666333 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold cancel

docs/examples/openpolicyagent/README.md
allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress
Controller being used.

This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users
This means that the Ingress Admins (the person who deployed the Ingress Controller) should trust the users

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels May 25, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rikatz, tao12345666333

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [rikatz,tao12345666333]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 8977835 into kubernetes:main May 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tao12345666333 tao12345666333 tao12345666333 approved these changes

@puerco puerco Awaiting requested review from puerco

Assignees

@tao12345666333 tao12345666333

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/docs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rikatz @k8s-ci-robot @longwuyuan @tao12345666333