I'm currently in the process of updating my Kyverno cluster policies to comply with the new ValidatingPolicy and MutatingPolicy standards, and I'm really struggling with CEL. It feels incredibly complicated, and I can't find any straightforward documentation that explains the CEL syntax in an easy-to-understand way. Am I missing something? Is this language supposed to be user-friendly? Even the basic examples from Kyverno seem quite confusing to me—it's like a whole different world! For instance, here's a simple ValidatingPolicy I've come across:
```yaml
apiVersion: policies.kyverno.io/v1
kind: ValidatingPolicy
metadata:
name: check-labels
spec:
validationActions:
- Deny
matchConstraints:
resourceRules:
- apiGroups: ['']
apiVersions: [v1]
operations: [CREATE, UPDATE]
resources: [pods]
validations:
- message: label 'environment' is required
expression: "'environment' in object.metadata.?labels.orValue([])"
```
Can anyone help me wrap my head around this?
3 Answers
If you're looking to test these policies in CI, it's definitely possible! You can run tests with the Kyverno CLI tool as long as you have it installed in your CI setup. And yes, you can run those tests without needing full cluster access. It's a great way to check that everything works as expected.
Have you checked out the detailed documentation on CEL? It might seem overwhelming, but it provides a pretty solid foundation. I know it can feel dense, but it helps to break down the specifics instead of trying to get it all at once. You might find it beneficial to start with the basics before diving into policies. Hang in there!
Honestly, I recommend just using regex for your rules instead. CEL can be hard to read, and the regex approach is sometimes much clearer! You can find some good practices about label requirements on the Kyverno website too. It's worth checking out!
Thanks for the tip! I actually hadn't looked at the general CEL docs, just the official ones regarding Kyverno. I’ll definitely give it a shot, even if it looks a bit heavy.