k-rail icon indicating copy to clipboard operation
k-rail copied to clipboard

Published 20 hours ago verified publisher icon cruise-automation

Enforce a label policy on pods

Open alpe opened this issue 5 years ago • 2 comments

Organisations usually come up with some best practices for monitoring and managing pods. A new policy could enforce a configurable list of labels to be mandatory to run a pod in the environment. For example all pods should have an app label.

The policies.Config would need to be extended with a new field.

type Config struct {
...
PolicyMandatoryPodLabels  []string
}

🤔 Extensions

  • While this issue is for pods only it makes sense to think about enforcing labels for other components as well.
  • Another extension could be enforcing annotations on a type. For example kubernetes.io/ingress.class must not be empty for an ingress on a multi ingress-controller environment.

alpe avatar Jan 09 '20 09:01 alpe

Good idea.

To facilitate checking labels or annotations for other kinds of resources, we could accept that in the configuration for a more generic policy:

type LabelConfig struct{
    Kinds []string
    Labels []string
    Annotations []string
}

type Config struct {
...
PolicyMandatoryLabelsOrAnnotations  struct {
    []LabelConfig
}

To do this we'd need to add another resource extractor that pulls out v1.TypeMeta and v1.ObjectMeta

dustin-decker avatar Jan 09 '20 20:01 dustin-decker

👋 The k-rail project has been deprecated and is no longer under active development. We recommend taking a look at OPA Gatekeeper to see if it might meet your needs going forward.

Thanks for your contribution(s) to the project!

mark-adams avatar Jan 12 '23 16:01 mark-adams