Multi-target ConstraintTemplate

[tpolekhin]

Hello!

I'm using gatekeeper to validate KCC resources in GKE cluster. I have a library of constraints and templates written for KCC object structure.

I would like to extend this validation and check objects with different structure, like GCP API representation of the object.

It would be convenient to keep different Rego scripts designed to check for the same thing in one place, but I've noticed that currently ConstraintTemplates support only one Target, so I can't define multiple checks in the same template.

What's the status on the multi-target templates? Are they on the roadmap? What's the timeline?

Or you would recommend not to wait for this to be implemented and seek another solution, because it can take a long time?

Thanks

[maxsmythe]

Hi!

Sorry for the slow response, but I was working on a design doc that was relevant to this question. I just put it up on this GitHub discussion: https://github.com/orgs/open-policy-agent/discussions/204

[tpolekhin]

@maxsmythe any updates on this?

[maxsmythe]

Some progress.

• Scoped enforcement actions will allow for different enforcement actions depending on the enforcement point, allowing for more distributed enforcement. Implementation of this is under active development.

• TargetHandler refresh looks at the ValidatingAdmissionPolicy work and highlights that some of the primitives from the original doc could be useful for solving them. Unfortunately, while there is agreement on the rough approach, the relative priority is uncertain, so any signal you can give for demand/use cases would be appreciated. There was also feedback on defining work to minimize the user impact of the migrations contemplated in the TargetHandler refresh doc.