docs: update vap doc and demo #3502
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
JaydipGabani
approved these changes
Aug 17, 2024
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com> Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Co-authored-by: Jaydipkumar Arvindbhai Gabani <gabanijaydip@gmail.com> Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
maxsmythe
reviewed
Aug 19, 2024
|
|
||
| For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook. | ||
|
|
||
| Gatekeeper is configured to generate K8s Validating Admission Policy (VAP) resources for all constraint templates globally if `--default-create-vap-for-templates=true` flag is set. This flag defaults to `false` at this time to not generate VAP resources by default. | ||
| The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper | ||
| `--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with cel engine, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. |
There was a problem hiding this comment.
"all Constraint Templates that have VAP CEL code" (or use the actual engine name, IIRC K8sNativeValidation?)
We don't want to conflate CEL with VAP, because that will be a common, and very misleading, mistake. It assumes that VAP code can be accepted anywhere CEL is interpreted, which is very much not true.
There was a problem hiding this comment.
added VAP to CEL engine where applicable
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
JaydipGabani
approved these changes
Aug 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when the PR gets merged):Fixes #
Special notes for your reviewer: