Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: raw policy validation #357

Merged
merged 6 commits into from
Oct 24, 2023
Merged

feat: raw policy validation #357

merged 6 commits into from
Oct 24, 2023

Conversation

fabriziosestito
Copy link
Contributor

@fabriziosestito fabriziosestito commented Oct 20, 2023
edited by viccuad
Loading

Description

Change the policy evaluator and the existing runtimes to support "raw" policy requests.
Raw requests are generic requests that are not in the form of Kubernetes AdmissionRequests.
The AdmissionRequest type has been moved from the policy-server to this repo, which already contains the AdmissionResponse type.

The ValidatieRequest type has been refactored into an Enum type to support the new variant and runtimes have been changed accordingly.
The only exception is the Gatekeeper execution mode, being Gatekeeper k8s only by nature.

Note that we are still using the AdmissionResponse type as the return type of an evaluation since it is generic enough. The only difference is that we will not wrap it inside an AdmissionReview in the policy server if the user has requested a raw policy validation.

Related to: kubewarden/kubewarden-controller#527

Test

Since the current testing is structured this way, most of the tests are done in the policy-server e2e tests.
We could improve this by adding runtime-related integration tests inside this crate.

See: #358

Additional Information

Tradeoff

@fabriziosestito fabriziosestito marked this pull request as ready for review October 20, 2023 09:49
@fabriziosestito fabriziosestito requested a review from a team as a code owner October 20, 2023 09:49
@fabriziosestito fabriziosestito self-assigned this Oct 20, 2023
@fabriziosestito fabriziosestito added kind/enhancement New feature or request kind/feature and removed kind/enhancement New feature or request labels Oct 20, 2023
viccuad
viccuad approved these changes Oct 23, 2023
View reviewed changes
Copy link
Member

@viccuad viccuad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Looking forward to the RFC and the possibility of different endpoints in policy-server!

Given that this is a POC, is it ok with merging against main? (or at least, should we wait for the test infra work?)

flavio
flavio requested changes Oct 24, 2023
View reviewed changes
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Everything looks good to me, I left some minor suggestions.

I think it's fine to merge this code into the main branch once the review is green. I don't consider this a POC anymore, the code is actually working and delivering the whole feature

src/policy_evaluator.rs Outdated Show resolved Hide resolved
src/runtimes/burrego.rs Outdated Show resolved Hide resolved
src/runtimes/wapc.rs Outdated Show resolved Hide resolved
src/runtimes/wasi_cli/runtime.rs Outdated Show resolved Hide resolved
@fabriziosestito
feat: add AdmissionRequest type
23059ad 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
@fabriziosestito
feat: refactor ValidateRequest to an Enum and add Raw request variant
8b8f0be 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
@fabriziosestito
feat: support raw requests in runtimes
9a94e36 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
@fabriziosestito
chore: apply cargo clippy suggestions to tests
0ec6a82 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
@fabriziosestito
docs: add docstring to ValidateRequest
3350f97 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
@fabriziosestito
docs: add docstring to AdmissionRequest
4850533 
Signed-off-by: Fabrizio Sestito <fabrizio.sestito@suse.com>
flavio
flavio approved these changes Oct 24, 2023
View reviewed changes
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for having applied the requested changes

@fabriziosestito fabriziosestito merged commit 06e158e into kubewarden:main Oct 24, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viccuad viccuad viccuad approved these changes

@flavio flavio flavio approved these changes

Assignees

@fabriziosestito fabriziosestito

Labels
kind/feature
Projects
Kubewarden
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fabriziosestito @flavio @viccuad