Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5794

RHACS: Add Disallowed Label to Policy Criteria

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • None
    • rhacs-4.3.0
    • Policy Management , RHACS
    • False
    • None
    • False
    • Not Selected

      Business Problem:

      Customer would like to have a policy that can alert when a Deployment has a specific label.

      Use Cases:

      Desired behavior:
      ACS Policy will trigger a violation when
      EITHER
      (1) Deployment DOES NOT have the label abc.com/product-code
      OR
      (2) Deployment DOES have the label abc.com/product-code with the value "undefined"

      Current behavior:
      (1) Can be accomplished with a required label criteria
      (2) Can NOT be accomplished with policy criteria, because there is no "Disallowed Deployment Label" criteria

      Workaround:
      Create TWO policies:
      (1) One that uses the required label for abc.com/product-code to identify deployments that are missing the label.
      (2) One that creates an automatic violation (require a label that will never exist, for example), and use the Inclusion Scope with a label of abc.com/product-code : undefined to limit application to deployments that have that "disallowed" label.

      The best solution for the desired behavior is to add "Disallowed Label" as a Deployment metadata policy criteria.

      Key Functionality:

      Add Disallowed label to Deployment metadata policy criteria.

      Allow user to specify Key and/or Value for Deployment labels, supporting regular expressions.

      ACS will indicate a violation for Deployments that contain a label that meets the criteria.

      Benefits:

      This __ gives customers more flexibility with defining ACS policies and identifying Deployments that violate customer policies

      Acceptance criteria:

      Customer can create an ACS policy that will trigger a violation when a Deployment has a label that matches the specified criteria, using regular expressions for the key and/or value.

      Implementation Suggestions (optional):

      • Mirror the functionality of the Disallowed annotation and Diasallow image label criteria

       

      Timeline:

      ASAP

       

       

              bmichael@redhat.com Boaz Michaely
              sscaling1@redhat.com Skylar Scaling
              Anjali Telang, Boaz Michaely, Doron Caspin, JP Jung, Maria Simon Marcos, Shubha Badve
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: