gatekeeper

gatekeeper copied to clipboard

Mark semantic log lines as such

3

**Describe the solution you'd like** We should add a notation to log lines that are semantic (i.e. have machine-readable meaning and are subject to backwards-compatibility requirements, as designed by https://docs.google.com/document/d/1ap7AKOupNcR_42s8mkSh5FV9eteXTd4VCqelKst73VY/edit#heading=h.ufjdqaszum9t...

maxsmythe

Not able to implement Policy.

7

I want to enforce policy the if nodeSelector is not present pod should not be create, I used below template ans constraint file, but not getting expected results . Any...

bj-1795

Namespaces cannot be removed from the dummy API Server used in tests

4

We aren't able to delete Namespaces in our tests which launch the dummy API Server. This creates cross-talk between tests which use the same Namespaces, and prevents running tests multiple...

willbeason

Support more sophisticated condition checking on mutation

12

**Describe the solution you'd like** Support more sophisticated condition checking on mutation other than the implemented pathTest. Maybe we can use the existing rego engine to do such checking. **Anything...

ethernoy

Define Mutation Logging Contract

2

Mutations appear to be developing semantic logging, much like other parts of Gatekeeper. We should figure out which log entries are meant to be machine-readable and formalize their format and...

maxsmythe

Audit logs to file

4

We wont to redirect audit logs to file, but all args that we found not working. **Environment:** DEV - Gatekeeper version: 3.5.2 - Kubernetes version: (use `kubectl version`): 1.20.0 args:...

anvpetrov

Support regex for Gatekeeper Config excluded Namespaces

3

**Describe the solution you'd like** Gatekeeper Config only allows Namespace exclusions on prefix matching: https://github.com/open-policy-agent/gatekeeper/blob/19ee221352a4d34ea659512e5ab376bae5fc17b8/pkg/util/prefix_wildcard.go#L7-L10 It'd be useful to support regex matches too (or at least suffix matching). It would...

dippynark

Can't delete violating resources from ArgoCD

6

**What steps did you take and what happened:** Resources that are in violation of a constraint, can't be deleted from ArgoCD with "foreground" delete (default for ArgoCD). ArgoCD stays in...

pupseba

Trigger the policy constraint based on a condition

3

**Describe the solution you'd like** As a simple example, if we want to run `kubectl run nginx --image quay.io/base-image/nginx:latest ` At present, we can define a constraint template/constraint to allow...

anzxcolinlcc

helmchart: gatekeeper webhook only enabled for namespaces with some label

1

**Describe the solution you'd like** In current helmchart, I see validating webhook only has a negative namespace label matcher for `admission.gatekeeper.sh/ignore`. In our current use case we would like to...

alialperak