I'm in the process of transitioning my Kyverno cluster policies to the new ValidatingPolicy and MutatingPolicy formats, and I'm really finding CEL quite frustrating. The documentation doesn't seem to present the CEL syntax in a straightforward way, and I'm starting to doubt my ability to grasp it.
Is there something I'm missing here? Shouldn't the syntax be more intuitive? Some of the examples I've seen, even the simple ones from Kyverno, feel really convoluted to me. Here's one of the snippets I'm working with:
```yaml
apiVersion: policies.kyverno.io/v1
kind: ValidatingPolicy
metadata:
name: check-labels
spec:
validationActions:
- Deny
matchConstraints:
resourceRules:
- apiGroups: ['']
apiVersions: [v1]
operations: [CREATE, UPDATE]
resources: [pods]
validations:
- message: label 'environment' is required
expression: "'environment' in object.metadata.?labels.orValue([])"
```
2 Answers
Have you checked out the official documentation on CEL? It’s really comprehensive. You'll find it a lot easier if you dig into it. But I get that sometimes it feels like too much for what you're trying to do. Don’t feel bad; it takes time to get used to a new syntax like this!
Testing these new policies can be tricky without cluster access. But yes, the Kyverno CLI allows you to run tests as long as you have the binary set up in your CI pipeline. It’s definitely worth having that configured!
I totally agree! I tried looking at the official docs too but they can drown you in details. It’s tough when you transition from something simpler like JSON.