Change Kustomize so that policies can be enforced as groups #141
Conversation
|
נראה טוב |
There was a problem hiding this comment.
@galshi I like the changes -
- It's more native to have a kustomization file per directory, instead of having a large one.
- The way you can control the
enforcementActionfrom the kustomization file.
Some points to think about -
- I would tweak the docu a bit, it's not very clear atm. Maybe add another section for
Applying all policiesas well. - Note that the current state of the kustomization is not too native. If you apply the resources, all constraints will fail unless your GitOps tool is consistently syncing. The
constraints.yamldepends on thetemplate.yaml. If the ConstraintTemplate is not created, the resource at theconstraints.yamlfails to create.
$ kustomize build ./ | oc apply -f -
constrainttemplate.templates.gatekeeper.sh/k8sdisallowemptydir created
error: unable to recognize "STDIN": no matches for kind "K8sDisallowEmptyDir" in version "constraints.gatekeeper.sh/v1beta1"
|
@michaelkotelnikov I don't think there's anything better which can be done with native kustomize. |
…fied the supported ways of using this repo in a gitops scenario
| - op: replace | ||
| path: "/spec/enforcementAction" | ||
| value: deny | ||
| ``` |
There was a problem hiding this comment.
@galshi I'd add an example of implementation using ArgoCD at the end - which configurations should be applied in the Application for both template and constraint resources to be created and not result in constraint creation failure due to kustomization issues.
I know it might be an overkill, but as for now, if a simple user tries to use the examples we provide, it'll fail. The issue should be covered, and a solution needs to be provided for a complete GitOps solution.
|
Need to evaluate implementing this with Kustomize components. |
@michaelkotelnikov I'm still not sure about the design, I would like your input.
I haven't checked that everything works properly, I'll proceed once you approve.