Add support for metadata.gatekeeper.sh/requires-sync-data #2393
Comments
|
we have a similar issue for GK version: open-policy-agent/frameworks#240 it would be nice to align checking for these metadata fields |
|
Are we validating only on constraint creation or is the mere existence of a constraint with this annotation on the cluster enough to require that resource to be synced? |
|
IMO existence... this can be checked by looking at the value of the sync config:
This will probably require adding a watch on the sync config to the constraint reconciler (or vice versa). Because constraints are dynamically typed (e.g. their kinds are not known in advance), this may be difficult to do. |
|
Hi @apeabody are you by chance working on this? I was thinking of picking it up |
|
Hi @anlandu - Thanks for reaching out! I'm not currently working on this, but I think it is valuable. |
|
Docs for this should be added as well: open-policy-agent/gatekeeper-library#261 |
apeabody
changed the title
|
@anlandu @julianKatz @acpana can you please update this issue with still remains in order to close that issue out? thank you! |
Sure, I can take a stab at answering that: #3030 adds the sync_controller and readiness support for syncsets There is still a need to design and implement the error reporting/ UX being described in the proposal for when a ConstraintTemplate doesn't have a GVK covered by any of the sync sources (syncsets or config). |
|
SyncSet integration with metadata.gatekeeper.sh/requires-sync-data blocker:
Before the integration is in place, this annotation is used as informational and documentation. With Gator sync test support, users can discover the lack of SyncSet resource as part of the test suite. |
Describe the solution you'd like
Write an error in status if the required data specified in
metadata.gatekeeper.sh/requiresSyncDatais not part of the sync resource.Background: open-policy-agent/gatekeeper-library#251 (comment)
The text was updated successfully, but these errors were encountered: