Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: adding FAQs for multi-engine #3761

Merged
merged 5 commits into from
Jan 8, 2025
Merged

chore: adding FAQs for multi-engine #3761

merged 5 commits into from
Jan 8, 2025

Conversation

JaydipGabani
Copy link
Contributor

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:

@JaydipGabani
adding FAQs for multi-engine
5943ebc 
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
@JaydipGabani JaydipGabani requested a review from a team as a code owner January 6, 2025 21:58
ritazh
ritazh reviewed Jan 7, 2025
View reviewed changes
website/docs/validating-admission-policy.md Outdated

<details>

<summary>Do all engines in a ConstraintTemplate are evaluated? Is there a fallback among engines?</summary>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<summary>Do all engines in a ConstraintTemplate are evaluated? Is there a fallback among engines?</summary>
<summary>Do all engines in a ConstraintTemplate get evaluated? Is there a fallback among engines?</summary>

ritazh
ritazh reviewed Jan 7, 2025
View reviewed changes
website/docs/validating-admission-policy.md Outdated
<details>

<summary>Do all engines in a ConstraintTemplate are evaluated? Is there a fallback among engines?</summary>
Only one engine is evaluated for each ConstraintTemplate. K8sNativeValidation engine hold higher priority than Rego engine. There is no fallback mechanism between engines, hence a logical/syntactical error in policy logic is treated as violation depending on the enforcement action set of the Constraints created for ConstraintTemplate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Only one engine is evaluated for each ConstraintTemplate. K8sNativeValidation engine hold higher priority than Rego engine. There is no fallback mechanism between engines, hence a logical/syntactical error in policy logic is treated as violation depending on the enforcement action set of the Constraints created for ConstraintTemplate.
Only one engine is evaluated for each ConstraintTemplate. `K8sNativeValidation` engine holds a higher priority than the `Rego` engine. There is no fallback mechanism between engines, hence a logical/syntactical error in the policy logic is treated as violation depending on the enforcement action specified in the Constraint.

ritazh
ritazh reviewed Jan 7, 2025
View reviewed changes
website/docs/validating-admission-policy.md Outdated

<details>

<summary>If I have a template with Rego and CEL, which policy logic will be used in evaluating resources?</summary>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<summary>If I have a template with Rego and CEL, which policy logic will be used in evaluating resources?</summary>
<summary>If I have a template with Rego and CEL, which policy engine will be used when evaluating resources?</summary>

ritazh
ritazh reviewed Jan 7, 2025
View reviewed changes
website/docs/validating-admission-policy.md Outdated

<summary>If I have a template with Rego and CEL, which policy logic will be used in evaluating resources?</summary>

K8sNativeValidation engine hold higher priority than Rego engine, so with a ConstraintTemplate that has both Rego and CEL. Policy logic written in CEL will get evaluated.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
K8sNativeValidation engine hold higher priority than Rego engine, so with a ConstraintTemplate that has both Rego and CEL. Policy logic written in CEL will get evaluated.
K8sNativeValidation engine holds a higher priority than the Rego engine, so with a ConstraintTemplate that has both Rego and CEL. Policy logic written in CEL will get evaluated by the K8sNativeValidation engine.

ritazh
ritazh reviewed Jan 7, 2025
View reviewed changes
website/docs/validating-admission-policy.md Outdated
<details>
<summary>Can I change the priority of engines per ConstraintTemplate?
</summary>
Engine priority cannot be set per ConstraintTemplate.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Engine priority cannot be set per ConstraintTemplate.
No, engine priority cannot be modified.

Removing "per ConstraintTemplate" since it makes it look like it can be done but just not per CT.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

@JaydipGabani JaydipGabani requested a review from ritazh January 8, 2025 18:31
@JaydipGabani JaydipGabani requested a review from maxsmythe January 8, 2025 20:00
ritazh
ritazh reviewed Jan 8, 2025
View reviewed changes
website/docs/validating-admission-policy.md
<details>

<summary>Do all engines in a ConstraintTemplate get evaluated? Is there a fallback among engines?</summary>
Only one engine is evaluated for each ConstraintTemplate. `K8sNativeValidation` engine holds a higher priority than the `Rego` engine. There is no fallback mechanism between engines, hence a logical/syntactical error in the policy logic is treated as violation depending on the enforcement action specified in the Constraint.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Only one engine is evaluated for each ConstraintTemplate. `K8sNativeValidation` engine holds a higher priority than the `Rego` engine. There is no fallback mechanism between engines, hence a logical/syntactical error in the policy logic is treated as violation depending on the enforcement action specified in the Constraint.
Only one engine is evaluated for each ConstraintTemplate. The `K8sNativeValidation` engine holds a higher priority than the `Rego` engine. There is no fallback mechanism between engines, hence a logical/syntactical error in the policy logic is treated as a violation depending on the enforcement action specified in the Constraint.

ritazh
ritazh reviewed Jan 8, 2025
View reviewed changes
website/docs/validating-admission-policy.md

<summary>If I have a template with Rego and CEL, which policy engine will be used when evaluating resources?</summary>

K8sNativeValidation engine holds a higher priority than the Rego engine, so with a ConstraintTemplate that has both Rego and CEL. Policy logic written in CEL will get evaluated by the K8sNativeValidation engine.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
K8sNativeValidation engine holds a higher priority than the Rego engine, so with a ConstraintTemplate that has both Rego and CEL. Policy logic written in CEL will get evaluated by the K8sNativeValidation engine.
The K8sNativeValidation engine holds a higher priority than the Rego engine. If a ConstraintTemplate has both Rego and CEL, then the policy logic written in CEL will get evaluated by the K8sNativeValidation engine.

ritazh
ritazh approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@ritazh ritazh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just few nits. otherwise LGTM

maxsmythe
maxsmythe approved these changes Jan 8, 2025
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ritazh ritazh merged commit e0f0b81 into open-policy-agent:master Jan 8, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

@ritazh ritazh ritazh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JaydipGabani @ritazh @maxsmythe