Add suffix-based matching for namespaces and excludedNamespaces #1571
Labels
enhancement
New feature or request
Comments
|
Possibly a dupe of #1525. |
|
Definitely related to #1525 My biggest concern with more complex match criteria is that if we ever implement indexing to support large numbers of mutators or constraints, it may be harder to implement the index. Regex is for sure problematic. I think prefix/suffix may be less so? |
devholic
pushed a commit
to devholic/gatekeeper
that referenced
this issue
Jan 18, 2022
open-policy-agent#1571 It would be useful to allow suffix-based matching for resource names, in addition to prefix-based matching. This commit implements this feature by extending `PrefixWildcard` type instead of using regex since it might be problematic for large numbers of resources as @maxsmythe commented on the issue. Signed-off-by: Sunghoon Kang <[email protected]>
devholic
pushed a commit
to devholic/gatekeeper
that referenced
this issue
Jan 19, 2022
open-policy-agent#1571 It would be useful to allow suffix-based matching for resource names, in addition to prefix-based matching. This commit implements this feature by extending `PrefixWildcard` type instead of using regex since it might be problematic for large numbers of resources as @maxsmythe commented on the issue. Signed-off-by: Sunghoon Kang <[email protected]>
devholic
pushed a commit
to devholic/gatekeeper
that referenced
this issue
Jan 20, 2022
open-policy-agent#1571 It would be useful to allow suffix-based matching for resource names, in addition to prefix-based matching. This commit implements this feature by extending `PrefixWildcard` type instead of using regex since it might be problematic for large numbers of resources as @maxsmythe commented on the issue. Signed-off-by: Sunghoon Kang <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the solution you'd like
#1404 added prefix-based matching for
namespaces&excludedNamespaces, but it would be useful to also enable suffix-based matching.Our use case is to not enforce certain constraints in "*-dev" namespaces (our naming convention is to append the environment to namespaces). We've currently implemented this behavior within the constraint template rego code, but given the enhancement in #1404, it would seem to make sense to extend that to cover this use case.
Anything else you would like to add:
Unclear if/how to handle user specifying wilds at both the beginning and end.
Maybe a more generic solution allowing a regex pattern should be supported?
Environment:
any
Gatekeeper version: future version
Kubernetes version: (use kubectl version): any supported by gatekeeper.
The text was updated successfully, but these errors were encountered: