CEL expression for ValidatingAdmissionPolicies gets very complex if they are testing for a negative and the documentation might lead people down the wrong path.
#41,393 opened on 2023年5月31日
Repository metrics
- Stars
- (4,127 stars)
- PR merge metrics
- (平均マージ 16d 13h) (30d で 160 merged PRs)
説明
This is a Feature Request
What would you like to be added Some examples for CEL where there are a ton of guards clauses for labels and/or annotations. Because of potential for bug: https://github.com/kubernetes/kubernetes/issues/118230 it would be very useful to include something like:
!has(object.metadata.labels) || (has(object.metadata.labels) && !("helm.sh/chart" in object.metadata.labels)) || (has(object.metadata.labels) && "helm.sh/chart" in object.metadata.labels && !object.metadata.labels["helm.sh/chart"].startsWith('other'))
as an example to bar the other helm chart (or a chart starting with that name. Include the - or switch to a regex for more precise matching. The current docs might also lead people astray in that it might suggest has() is usable in this can with the usage of __dot__ and friends.
Why is this needed
And since one might be tempted to use has() for the labels with the __dot__ and other replacements the example will help a lot I think from people hitting their heads against the wall while there is still very little to find about this alpha feature.
A CEL expression can be very complex when doing any CEL rule to do with labels or annotations. (tons of guard clauses) Maybe some more complex examples would suffice. The sort of tree like nature of nested guard clauses against missing items, might deserve a sentence or two as well. They get very complex and have a ton of
( !has(object.a) ) || ( has(object.a) && !has (object.a.b) ) || ( has(object.a) && has (object.a.b) && !has (object.a.b.c) ) || ( has(object.a) && has (object.a.b) && has (object.a.b.c) && object.a.b.c != "value" )
just to check that object.a.b.c is not some value. This might warrant a bunch of complex examples so people can go look for the templates but also to give people some context as to why this one uses has() and not in and vice versa.
Comments
Split from: https://github.com/kubernetes/website/issues/41391
About page: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
See https://github.com/kubernetes/website/issues/41393#issuecomment-3131019276