Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement] Documentation should specify where variables are not allowed #1462

Open
abohne opened this issue Jan 24, 2025 · 4 comments
Open

[Enhancement] Documentation should specify where variables are not allowed #1462

abohne opened this issue Jan 24, 2025 · 4 comments
Assignees
@kushal9897
Labels
enhancement New feature or request

Comments

@abohne
Copy link

abohne commented Jan 24, 2025

Description

I've been working on writing a ClusterPolicy that includes a rule with a verifyImages section. I've been trying to source the imageReferences from a context value that contains an array of strings. My policy has failed to validate (without indication why) until I explicitly tried making the value of imageReferences into an array.

At that point, I finally was able to generate the following error

"policy contains invalid variables: rule \"verify-image-signature\" should not have variables in image reference section"

Example rule:

  rules:
    - name: verify-image-signature
      match:
        any:
        - resources:
            kinds:
              - Pod
      context:
        - name: allowedregistryprefixes
          configMap:
            name: allowedregistryprefixes
            namespace: kyverno
      verifyImages:
      - imageReferences: ["{{ parse_yaml(allowedregistryprefixes.data.allowedregistryprefixes) }}"]

This was extremely frustrating to diagnose, only to run into that error. If variables are not allowed in certain portions of a policy, the documentation (both on the main site and the API documentation for ClusterPolicy and Policy) should indicate that.

Slack discussion

No response
@abohne abohne added the enhancement New feature or request label Jan 24, 2025
@welcome Welcome
Copy link

welcome bot commented Jan 24, 2025

Thanks for opening your first issue here! Be sure to follow the issue template!

@kushal9897
Copy link

I'd like to take this on! I'll update the documentation to clarify where variables are not allowed and provide examples. Assigning this to myself.

@kushal9897 kushal9897 mentioned this issue Feb 8, 2025
Open
@abohne
Copy link
Author

abohne commented Feb 10, 2025

#1472 addresses the specific use case that I encountered, but it seems like there are other places that variables are not allowed as well.

E.g. https://github.com/kyverno/kyverno/blob/de0d8e04f840f8027cc4a653262edf04df3b601d/pkg/validation/policy/validate.go#L629

Imo, it would also be nice to document why variables are not allowed in these areas, but at least documenting that they are not allowed would be a welcome first step.

@kushal9897
Copy link

kushal9897 commented Feb 11, 2025
edited
Loading

Thanks for the feedback!

I appreciate the insights! While my current PR (#1472) addresses the imageReferences field, I see that there are other areas where variable interpolation is not allowed. I updated my PR to include documentation for those sections and also provide a brief explanation of why variables are restricted in these areas. I'll review the validation logic in validate.go and make the necessary changes. Let me know if there are any other sections you'd like to highlight!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kushal9897 kushal9897

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@abohne @kushal9897