Use match to define which operations a constraint should be applied

[apeabody]

Describe the solution you'd like
I'd like to use match to define which operations a constraint should be applied. For example:

operations:
  - CREATE
  - UPDATE

Some common operations are CREATE, UPDATE, and DELETE. Perhaps Audit could be indicated by "" or a dedicated value.

operations:
  - ""
  - CREATE

Cheers!

[maxsmythe]

Similar previous discussion: #769

[apeabody]

Thanks @maxsmythe! Correct, the use case goal is to avoid unnecessary evaluation, so something like you suggest in #769 (comment) would work perfectly.

[apeabody]

Hi @maxsmythe - Circling around, I think we might do something "roughly" equivalent with:

    - excludedNamespaces: ["*"]
      processes: ["audit"] 

    - excludedNamespaces: ["*"]
      processes: ["webhook"] 

[maxsmythe]

Is this in the config resource? spec.match has no notion of process.

[apeabody]

Yes, I was looking at this example: https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces

[maxsmythe]

Gotcha. Yeah, if you want a global exemption, that'd be one way to do it.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.