gatekeeper
gatekeeper copied to clipboard
User Scoped Mutations
Is it currently possible to scope mutations by username?
Example: A mutation that adds a certain label to a pod if it was created by a certain user or list of users.
This kind of scoping is easily done in constraints with rego but it does not seem possible with mutations.
If it is not possible, are there any plans to include this feature?
It's not currently possible.
Also I'm not sure scoping by username would be the best approach for the above example, as that context may not always be available. For instance, if a deployment controller creates the pod, the user would be the deployment controller's service account (not the original creator of the deployment). There may be a nuance I'm missing.
That being said, the ability to access request metadata to assign values to a resource is something I think we've seen interest in. That would make something like this possible:
- Create an
AssignMetadata
mutator that sets acreator
label to the name of the user when the pod is created - Create an
Assign
mutator that injects a sidecar using the created label as itsmatch
criteria.
The above flow would require that request metadata feature, which currently does not exist.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.