feat: add audit mode and reporting in mutate and generate rules #63
Conversation
Signed-off-by: Vishal Choudhary <[email protected]>
There was a problem hiding this comment.
Few questions:
-
I expect that those reports will be generated as a result of admission requests. Do we need to consider background scanning?
IMO background scanning for standard mutation and standard generation isn't needed because we do have mutateExisting rules as well as generateExisting rules and we can generate reports for them too.That's why I have in mind:
- standard mutation rules --> admission reports
- standard generation --> admission reports
- mutateExisting rules --> background scan reports
- generateExisting rules --> background scan reports
We need to discuss the effect of setting
spec.backgroundandspec.admissionin each case. -
Does the value of
validationFailureActionhas any effect on generating the reports specifically for mutation rules? Given that this field under thespeclevel is deprecated.
| The `properties` field in policy report result is used to add information regarding mutation and generation. A `type` property is used to indicate if the report is for mutate, validate or generate. | ||
| For mutate rules, the policy report should indicate, minimally,: | ||
| - jsonpatch of the mutation | ||
| - target of the mutation |
There was a problem hiding this comment.
The target is only applicable for mutate existing rules.
Good point! The standard mutate rules are applied upon admission review, I don't think we need to refresh the reports for that during the background scan. For mutate existing and generate (regardless of generateExisting) rules, they are applied during the background scan so we do need to generate/refresh reports for these types of rules. |
Signed-off-by: Vishal Choudhary <[email protected]>
Summary
This proposal discusses ways to capture mutate and generate rule results in existing policy reports.