Move pre-processors to policy or rule declaration

Question

Move pre-processors to policy or rule declaration

JimBugwadia opened this issue 7 months ago · comments

Problem Statement

The pre-processors do not add much value and can lead to confusing results if the same policy is applied without the --pre-processor flag.

It seems best to require that policy rule declarations are complete in how they reference data in the JSON payload and not spread processing logic across the rule declaration and pre-processing declarations.

Also, for the web application form factor pre-processors require creating an outer request type with the fields payload and pre-processors. It would be simpler to simply add the JSON payload to the POST body.

Solution Description

Remove pre-processors.

Alternatives

No response

Additional Context

No response

Slack discussion

No response

Research

I have searched other issues in this repository and mine is not recorded.

Charles-Edouard Brétéché · Answer 1 · Mon Oct 30 2023 16:52:21 GMT+0800 (China Standard Time)

This doesn't sound doable to me.

Jim Bugwadia · Answer 2 · Fri Nov 03 2023 01:57:25 GMT+0800 (China Standard Time)

Updated based on recent discussions....it makes sense to keep a pre-processing option, but may be best to declare and manage as part of the policy:

Something like this:

apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: fs-read-only
spec:
  select: 
  - "planned_values.root_module.resources[]"
  identifier: "address"
  rules:
    - name: require-fs-read-only
      match:
        any:
        - type: aws_ecs_task_definition
      assert:
        any:
        - message: ECS containers only have read-only access to root filesystems
          check:
            values:
              ~.(json_parse(container_definitions)):
                  readonlyRootFilesystem: true