Comments (8)
May need a diffing ability to support policy YAML removals. Rendering is one way currently (YAML source => MD files), and when an MD is rendered, the source policy file is removed, the resulting MD has to be manually deleted. May be best to implement this as a flag like --clear
which, when pointed at a dir with any files present, requires setting said flag in order to run. The target dir would then get cleared before any files are rendered, ensuring the policies and the MD are in sync after each run. If pointed to a dir with any files and --clear
is not set, render exits printing a message to this effect.
from website.
@chipzoller - do we need anything at this point, or should we close this?
from website.
We could really use some fixes here including solving of the double slash and ability to render into a relative directory with ability to overwrite existing files. Currently the render program is a multi-step process when trying to refresh all the rendered policies.
from website.
Chip, can you please provide more details on each requirement? These do not seem difficult to do, but want to make sure I understand the asks correctly.
from website.
Yes, certainly.
- When calling
render
, somewhere in the Go it produces double slashes within the Markdown files. This is also documented here. While this does not cause any noticeable problems, it isn't correct. For example, this is what is rendered under the Policy Definition header which provides the link back to the corresponding policy YAML file in kyverno/policies:<a href="https://github.com/kyverno/policies/raw/main//best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml" target="-blank">/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml</a>
. You can observe the double slash betweenmain
andbest-practices
in thea href
tag. - When cloning kyverno/website locally, which means it will be cloned with the Markdown files for all the policies, and then running
render
, all the policies will be rendered to the working directory forrender
which is the/render
directory. Therender
binary does not accept a location for these files in relation to the working directory, for example../content/en/policies
(which is where they all end up). - Further to number two above, the
render
program should be able to, if an optional flag is passed, overwrite files in the destination directory if present. The result of numbers two and three would be only a single-step process to render new policies whereas, presently, it's more than that as they need to be rendered, the destination directory cleared (optional), then moved, then committed. - When there's a failure encountered by
render
in the output, it can be tricky to spot because you have to scroll back through all the output (which gets lengthier the more policies we add) and ensure there were no errors thrown. Sometimes this has resulted in Markdown files being absent when such an error is encountered. It'd be very nice ifrender
could collect any errors encountered and show them as the final output on a run (and exiting with a1
for automation purposes) so it's clear what steps need to be taken. - YAML files appear to be parsed regardless of their names and if their
spec
is an array thenrender
will print an error likefailed to decode file \openshift\disallow-deprecated-apis\resources.yaml: json: cannot unmarshal array into Go struct field ClusterPolicy.spec of type v1.Spec
- The rendering needs to be more selective on which YAML files it considers. We are now seeing issues with it rendering a YAML file of a Kasten K10
Policy
resource which is not the same as a Kyverno Policy. Example here. For now, these require manual removal after the rendering process which is not ideal.
Hopefully this all makes sense.
from website.
Include #547
from website.
Double slashes still appear in output.
from website.
Please create an issue with the full command details.
from website.
Related Issues (20)
- [Enhancement] Securing Container Base Images Using Kyverno Policies @cloudnativefm podcast to be added in the resources section. HOT 5
- [Enhancement] Nested Foreach
- [Question] How to correctly exclude namespaces with Helm Chart HOT 1
- [Enhancement] Create documentation for background scan force updates HOT 2
- [Enhancement] Add documentation for kyverno category HOT 1
- [Enhancement] Document stance on fixing of security vulnerabilities
- [Enhancement] Document `image` variable HOT 9
- [1.10] add docs for JSON web service call
- [Enhancement] Add SLSA provenance verification steps
- [1.9] Clean-up policies
- [Enhancement] 1.9 release blog
- [Enhancement] Remove links to versions pre-1.6.0
- [Enhancement] Trust for private registries
- [1.9] Policy exceptions HOT 1
- [Enhancement] CVE blog
- troubleshooting for policy authoring
- [Render] Support for CleanupPolicies HOT 5
- [1.9] Add documentation for `time_now`, `time_parse`, `time_to_cron` and `time_add` JMESPath filters HOT 2
- Add adopters form link
- [Enhancement] Don't forget to remove --devel from tracing docs
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from website.