Skip to content

feat(workload): native CEL rule validation for rendered GitOps manifests (google/cel-go) #5693

Description

@devantler

🤖 Generated by the Daily AI Assistant

Part of #5344 (validate/scan all GitOps layers in-process). Captures the stay-native decision recorded in #5624 as an actionable slice.

Problem

workload validate covers schema correctness (kubeconform, per-layer attributed) but has no way to enforce semantic/policy rules ("every Deployment sets resources.requests", "images must be pinned by digest", "no :latest tags") over the rendered output. Flux 2.9's flux schema plugin and external tools (kyverno CLI — blocked per #5355; conftest/OPA) all bolt on an external binary, against KSail's in-process/zero-dependency principle.

Proposal

Embed google/cel-go in the validate pipeline as an optional rule layer:

Acceptance criteria

  • workload validate evaluates CEL rules against every rendered doc in-process (no external binary), with pass/fail + attributed violation output.
  • Rules are optional and behaviour without a rules file is unchanged.
  • Unit tests: rule pass, rule fail (attributed), invalid expression (clear compile error naming the rule), severity handling.
  • Docs: reference page + example rules file.

Rough size

M — the render+attribution plumbing exists; the slice is the CEL env, rules-file schema, evaluation loop, and reporting. Decompose further if the flag/config surface grows.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions