🤖 Generated by the Daily AI Assistant
Part of #5344 (validate/scan all GitOps layers in-process). Captures the stay-native decision recorded in #5624 as an actionable slice.
Problem
workload validate covers schema correctness (kubeconform, per-layer attributed) but has no way to enforce semantic/policy rules ("every Deployment sets resources.requests", "images must be pinned by digest", "no :latest tags") over the rendered output. Flux 2.9's flux schema plugin and external tools (kyverno CLI — blocked per #5355; conftest/OPA) all bolt on an external binary, against KSail's in-process/zero-dependency principle.
Proposal
Embed google/cel-go in the validate pipeline as an optional rule layer:
Acceptance criteria
workload validate evaluates CEL rules against every rendered doc in-process (no external binary), with pass/fail + attributed violation output.
- Rules are optional and behaviour without a rules file is unchanged.
- Unit tests: rule pass, rule fail (attributed), invalid expression (clear compile error naming the rule), severity handling.
- Docs: reference page + example rules file.
Rough size
M — the render+attribution plumbing exists; the slice is the CEL env, rules-file schema, evaluation loop, and reporting. Decompose further if the flag/config surface grows.
Part of #5344 (validate/scan all GitOps layers in-process). Captures the stay-native decision recorded in #5624 as an actionable slice.
Problem
workload validatecovers schema correctness (kubeconform, per-layer attributed) but has no way to enforce semantic/policy rules ("every Deployment sets resources.requests", "images must be pinned by digest", "no :latest tags") over the rendered output. Flux 2.9'sflux schemaplugin and external tools (kyverno CLI — blocked per #5355; conftest/OPA) all bolt on an external binary, against KSail's in-process/zero-dependency principle.Proposal
Embed google/cel-go in the validate pipeline as an optional rule layer:
validation-rules.yaml: name, expression, message, severity) loaded from the project; each rendered document (postpkg/svc/gitops/render, so Helm/Kustomize output is covered) is bound asobjectinto the CEL env.--rulesflag / config field to point at the rules file; absent file = feature off (no behaviour change).k8s.io/apiserverCEL library or cel-go's strings/encoders exts) so expressions match what users know from ValidatingAdmissionPolicy.Acceptance criteria
workload validateevaluates CEL rules against every rendered doc in-process (no external binary), with pass/fail + attributed violation output.Rough size
M — the render+attribution plumbing exists; the slice is the CEL env, rules-file schema, evaluation loop, and reporting. Decompose further if the flag/config surface grows.