Mutating AdmissionReview objects to add clusterwide labels

[jcmcken]

In our current OPA management software (which is commercial software), you have the option of attaching metadata to each cluster as labels on the AdmissionReview object (in the result.outcome field). This is useful because it means you can have policy that keys off information within the cluster. So rather than passing different parameters (i.e. managing different constraints, which will mostly repeat all the same information) depending on which cluster you're in, the constraint and constraint template are the same across all clusters, and only the metadata is different.

For example, we have different image policies depending on which cluster you're in. So the review object contains an identifier telling you which cluster you're in. In the Rego, you can then key off this information to make different decisions depending on the value.

Is this something AssignMetadata would be used for? Or is there some other way to accomplish this?

[charlieegan3]

Hey @jcmcken, I'm not 100% sure on this one but you might want to try in the #opa-gatekeeper channel on slack. https://communityinviter.com/apps/openpolicyagent/signup