-
Feature Request
-
Resolution: Done
-
Major
-
None
-
rhacs-4.3.0
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
-
-
Business Problem:
Customer would like to have a policy that can alert when a Deployment has a specific label.
Use Cases:
Desired behavior:
ACS Policy will trigger a violation when
EITHER
(1) Deployment DOES NOT have the label abc.com/product-code
OR
(2) Deployment DOES have the label abc.com/product-code with the value "undefined"
Current behavior:
(1) Can be accomplished with a required label criteria
(2) Can NOT be accomplished with policy criteria, because there is no "Disallowed Deployment Label" criteria
Workaround:
Create TWO policies:
(1) One that uses the required label for abc.com/product-code to identify deployments that are missing the label.
(2) One that creates an automatic violation (require a label that will never exist, for example), and use the Inclusion Scope with a label of abc.com/product-code : undefined to limit application to deployments that have that "disallowed" label.
The best solution for the desired behavior is to add "Disallowed Label" as a Deployment metadata policy criteria.
Key Functionality:
Add Disallowed label to Deployment metadata policy criteria.
Allow user to specify Key and/or Value for Deployment labels, supporting regular expressions.
ACS will indicate a violation for Deployments that contain a label that meets the criteria.
Benefits:
This __ gives customers more flexibility with defining ACS policies and identifying Deployments that violate customer policies
Acceptance criteria:
Customer can create an ACS policy that will trigger a violation when a Deployment has a label that matches the specified criteria, using regular expressions for the key and/or value.
Implementation Suggestions (optional):
- Mirror the functionality of the Disallowed annotation and Diasallow image label criteria
Timeline:
ASAP