-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update vap doc and demo #3502
Conversation
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggested nits. LGTM otherwise.
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com> Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com> Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
|
||
For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook. | ||
|
||
Gatekeeper is configured to generate K8s Validating Admission Policy (VAP) resources for all constraint templates globally if `--default-create-vap-for-templates=true` flag is set. This flag defaults to `false` at this time to not generate VAP resources by default. | ||
The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper | ||
`--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with cel engine, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"all Constraint Templates that have VAP CEL code" (or use the actual engine name, IIRC K8sNativeValidation
?)
We don't want to conflate CEL with VAP, because that will be a common, and very misleading, mistake. It assumes that VAP code can be accepted anywhere CEL is interpreted, which is very much not true.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added VAP to CEL engine
where applicable
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: