pulumi-kubernetes-operator icon indicating copy to clipboard operation
pulumi-kubernetes-operator copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Enforce policies before updating

Open worawatwi opened this issue 3 years ago • 2 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Is it possible to have policies validation before updating? Currently we used Pulumi CLI policy-pack and policy-pack-config to enforce policies in our CI before preview and update. It would be great if operator can check for policy violation and raise error.

Affected area/feature

Pulumi Kubernetes operator

worawatwi avatar Nov 04 '22 04:11 worawatwi

Thanks for opening the issue. Assigned to @squaremo for consideration/prioritization.

viveklak avatar Nov 07 '22 17:11 viveklak

This makes sense as a feature of the operator -- thanks for suggesting it @worawatwi.

squaremo avatar Nov 08 '22 09:11 squaremo

Thinking about possible designs, a key question would be how to attach policies to stacks, i.e. to form a policy group. Since policies are normally enforced by an administrator, it would make sense here to apply policies at the level of a Kubernetes namespace.

Would the system also apply policies that were assigned in Pulumi Cloud via policy groups? Probably no, that would imply that the stack's choice of backend would affect the applied policies.

Also consider how to support configurable policies (e.g. enforcement level, the allowed instance types, cost allowances, etc.). Perhaps the well-known config format would simply be pasted as a string, as opposed to devising a CRD-friendly variation.

Another aspect is how/where to source the policy packs. Would the system draw from the published policy packs? From volumes or images? Ideally any such image or volume would be automatically attached to the workspace pod without any per-Stack configuration.

One idea would be to introduce a new custom resource type, that an administrator may use to attach policies to the stacks within a given namespace.

apiVersion: pulumi.com/v1alpha1
kind: PolicyGroup
metadata:
  namespace: my-namespace
policyPacks:
- name: <org-name/<policy-pack-name>
  version: 0.0.1
  config: |
    {
      "all": {
        "enforcementLevel": "disabled"
      },
      "a-policy": {
        "enforcementLevel": "mandatory"
      }
    }

Would it make more sense to provide a "group" object, or should there be an object per policy pack (and let the controller do the aggregation into a group)? i.e.

apiVersion: pulumi.com/v1alpha1
kind: Policy
metadata:
  namespace: my-namespace
policyPack:
  name: <org-name/<policy-pack-name>
  version: 0.0.1
  config: |
    {
      "all": {
        "enforcementLevel": "disabled"
      },
      "a-policy": {
        "enforcementLevel": "mandatory"
      }
    }

Also related, support for Preview: https://github.com/pulumi/pulumi-kubernetes-operator/issues/16

EronWright avatar May 27 '25 19:05 EronWright