Move pre-processors to policy or rule declaration
JimBugwadia opened this issue · comments
Problem Statement
The pre-processors do not add much value and can lead to confusing results if the same policy is applied without the --pre-processor
flag.
It seems best to require that policy rule declarations are complete in how they reference data in the JSON payload and not spread processing logic across the rule declaration and pre-processing declarations.
Also, for the web application form factor pre-processors require creating an outer request type with the fields payload
and pre-processors
. It would be simpler to simply add the JSON payload to the POST body.
Solution Description
Remove pre-processors.
Alternatives
No response
Additional Context
No response
Slack discussion
No response
Research
- I have searched other issues in this repository and mine is not recorded.
This doesn't sound doable to me.
Updated based on recent discussions....it makes sense to keep a pre-processing option, but may be best to declare and manage as part of the policy:
Something like this:
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: fs-read-only
spec:
select:
- "planned_values.root_module.resources[]"
identifier: "address"
rules:
- name: require-fs-read-only
match:
any:
- type: aws_ecs_task_definition
assert:
any:
- message: ECS containers only have read-only access to root filesystems
check:
values:
~.(json_parse(container_definitions)):
readonlyRootFilesystem: true