Skip to content

Enforce policies before updating #366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
worawatwi opened this issue Nov 4, 2022 · 3 comments
Open

Enforce policies before updating #366

worawatwi opened this issue Nov 4, 2022 · 3 comments
Labels
kind/enhancement Improvements or new features

Comments

@worawatwi
Copy link

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Is it possible to have policies validation before updating? Currently we used Pulumi CLI policy-pack and policy-pack-config to enforce policies in our CI before preview and update. It would be great if operator can check for policy violation and raise error.

Affected area/feature

Pulumi Kubernetes operator
@worawatwi worawatwi added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Nov 4, 2022
@viveklak viveklak removed the needs-triage Needs attention from the triage team label Nov 7, 2022
@viveklak
Copy link
Contributor

viveklak commented Nov 7, 2022

Thanks for opening the issue. Assigned to @squaremo for consideration/prioritization.

@squaremo
Copy link
Contributor

squaremo commented Nov 8, 2022

This makes sense as a feature of the operator -- thanks for suggesting it @worawatwi.

@squaremo squaremo removed their assignment Mar 29, 2023
@EronWright
Copy link
Contributor

EronWright commented May 27, 2025
edited
Loading

Thinking about possible designs, a key question would be how to attach policies to stacks, i.e. to form a policy group. Since policies are normally enforced by an administrator, it would make sense here to apply policies at the level of a Kubernetes namespace. Would the system also apply policies that were assigned in Pulumi Cloud via policy groups? That would imply that the stack's choice of backend would affect the applied policies.

Also consider how to support configurable policies (e.g. enforcement level, the allowed instance types, cost allowances, etc.). Perhaps the well-known config format would simply be pasted as a string, as opposed to devising a CRD-friendly variation.

Another aspect is how/where to source the policy packs. Would the system draw from the published policy packs? From volumes or images? Ideally any such image or volume would be automatically attached to the workspace pod without any per-Stack configuration.

One idea would be to introduce a new custom resource type, that an administrator may use to attach policies to the stacks within a given namespace.

apiVersion: pulumi.com/v1alpha1
kind: PolicyGroup
metadata:
  namespace: my-namespace
policyPacks:
- name: <org-name/<policy-pack-name>
  version: 0.0.1
  config: |
    {
      "all": {
        "enforcementLevel": "disabled"
      },
      "a-policy": {
        "enforcementLevel": "mandatory"
      }
    }

Would it make more sense to provide a "group" object, or should there be an object per policy pack?

Also related, support for Preview: #16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@squaremo @viveklak @EronWright @worawatwi