policy-server icon indicating copy to clipboard operation
policy-server copied to clipboard
verified publisher icon kubewarden

Feature Request: strict policies.yml parsing, disallow unknown keys

Open fabriziosestito opened this issue 1 year ago • 4 comments

Is your feature request related to a problem?

The parsing of policies.yml is not strict enough. This can be prone to errors.

For instance, at the time of writing, this configuration is valid:

psp-capabilities:
  url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7
  allowedToMutate: true
  policyModel: monitor # note: "policyModel" should be "policyMode" 
  settings:
  ...

However, as the policyMode key is not found, the policy will be configured in Protect mode.

Also, we could clean up the tests by using fixtures and/or merging tests together in one test with multiple cases of reading configurations.

fabriziosestito avatar Jul 25 '24 12:07 fabriziosestito

Keep in mind there's currently a serde bug that prevents that from being done. See https://github.com/kubewarden/policy-server/pull/827/commits/7316fc93bc5d53dc0a3277b63f937bfe2973dc6a

flavio avatar Aug 05 '24 10:08 flavio

looking into it 👀

manumathon avatar May 03 '25 16:05 manumathon

we could validate it in post-deserialization, since the issue persist

manumathon avatar May 05 '25 14:05 manumathon

I think the fix should be done inside of serde, see this issue.

I would wait for upstream to address that, or help them with it.

Given the configuration of policy-server is always generated by us (through the controller), the chances of running into this issue are slim.

This is more of an issue for users running Policy Server outside of Kubernetes, as a custom json validator. However we don't know how many people are actually interested into this enhancement

flavio avatar May 05 '25 15:05 flavio