constraint: Update OPA to v1 #517
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #517 +/- ##
==========================================
- Coverage 54.68% 53.80% -0.89%
==========================================
Files 71 97 +26
Lines 5241 6141 +900
==========================================
+ Hits 2866 3304 +438
- Misses 2073 2502 +429
- Partials 302 335 +33
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
This is an initial PoC to show what rego.v1 support might look.
The main thing I am unsure of is the regorewriter. This could have some issues even with v0 as I understand it. For example, `some x in data.lib` will not be rewritten correctly. Anyone with more knowledge on this component, it'd be interesting to better know how this is used and how it should work when supporting both v0 and v1.
The next obvious thing to consider here is that attempting parsing in more than one rego version is not ideal. This is done here since we will not know the source version of the rego until we try to parse it. We might consider something like this to allow users to force GK to use a given version.
```
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
version: v1
rego: |
package k8srequiredlabels
violation contains {"msg": msg, "details": {"foo": "bar"}} if {
...
}
```
Signed-off-by: Charlie Egan <[email protected]>
charlieegan3
force-pushed
the
rego-v1
branch
2 times, most recently
from
166e9c1 to
84962bb
Compare
Warned as insecure in https://github.com/open-policy-agent/frameworks/actions/runs/13029032097/job/36343997926?pr=517 Signed-off-by: Charlie Egan <[email protected]>
|
Thanks for the PR! To answer your question about regorewriter: First some background: regorewriter was written when all constraint templates were compiled into the same OPA environment. It was intended to provide hermeticity. Basically, we wanted to be sure that no constraint template could modify the behavior of any other constraint template, so we rewrote the module paths to ensure non-overlap. We also limited the sub-fields of Since that time, we have moved on to compiling each constraint template into a separate Rego environment (though the data cache is shared). This was mainly to reduce the O(n^2) complexity growth of compiling templates, but had the effect of strengthening sandboxing as well. As such, regorewriter is less load bearing than it used to be, but still useful. Key features of regorewriter (I may be missing some, did a brief survey of the code):
It does look like some portions of regorewriter may be redundant -- if we require library packages to start with WRT adding the version string... I like it! Though we should probably nudge people to using the newer format, which lives under I'd make it a sibling of the frameworks/constraint/pkg/client/drivers/rego/schema/schema.go Lines 19 to 24 in df59516 for backwards compatibility, undefined -> v0, and using |
This is an initial PoC to show what rego.v1 support might look.
The main thing I am unsure of is the regorewriter. This could have some issues even with v0 as I understand it. For example,
some x in data.libwill not be rewritten correctly. Anyone with more knowledge on this component, it'd be interesting to better know how this is used and how it should work when supporting both v0 and v1.Next steps, after this PR
The next obvious thing to consider here is that attempting parsing in more than one rego version is not ideal. This is done here since we will not know the source version of the rego until we try to parse it. We might consider something like this to allow users to force GK to use a given version.