Add enable-referential-rules flag & disable referential constraints…

… by default. Signed-off-by: David-Jaeyoon-Lee <[email protected]>
open-policy-agent · Nov 14, 2024 · 154af0a · 154af0a
1 parent 4c2ff74
commit 154af0a
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -116,6 +116,7 @@ var (
 	disabledBuiltins                     = util.NewFlagSet()
 	enableK8sCel                         = flag.Bool("enable-k8s-native-validation", true, "enable the validating admission policy driver")
 	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
+	enableReferential                    = flag.Bool("enable-referential-rules", false, "Enable referential rules. Only use this flag if you know what you're doing; referential rules have edge cases where referential constraints may not be perfectly enforced due to the eventual consistency inherent in Kubernetes controllers")
 )
 
 func init() {
@@ -419,6 +420,12 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle
 		cfArgs = append(cfArgs, constraintclient.Driver(k8sDriver))
 	}
 
+	externs := rego.Externs()
+	if *enableReferential {
+		externs = rego.Externs("inventory")
+	}
+	args = append(args, externs)
+
 	driver, err := rego.New(args...)
 	if err != nil {
 		setupLog.Error(err, "unable to set up Driver")