Summary
gator policy generate-catalog and gator policy install --bundle currently appear to support at most one default constraint manifest per ConstraintTemplate per bundle.
This makes it difficult for a catalog bundle to install multiple preconfigured Constraint instances that share the same ConstraintTemplate but use different names/parameters.
Current behavior
The generated catalog shape uses a single string path for each policy/bundle pair, for example:
policies:
- name: exampletemplate
templatePath: library/example/example-template/template.yaml
bundles:
- example-default
bundleConstraints:
example-default: library/example/example-template/samples/default/constraint.yaml
Because bundleConstraints maps each bundle name to one path, a bundle cannot naturally express:
bundleConstraints:
example-default:
- samples/default-a/constraint.yaml
- samples/default-b/constraint.yaml
The generator also discovers constraints from sample directories and picks a single matching/fallback constraint file per bundle, so multiple sample constraints for the same template and bundle cannot all be represented.
Separately, using a single multi-document YAML file does not seem to work with the current installer path, because the installer unmarshals the fetched constraint YAML into one unstructured.Unstructured and installs one object. A Kubernetes List object would also not behave as a set of constraints because the installer expects the object itself to be a constraint.
Desired behavior
It would be useful for Gator catalogs/bundles to support multiple default constraint manifests for the same ConstraintTemplate in the same bundle.
Possible approaches could include one or more of:
- Allow
bundleConstraints values to be a list of paths while preserving compatibility with the existing string form.
- Allow the bundles file passed to
generate-catalog --bundles to specify explicit constraint paths per policy/bundle.
- Teach
policy install to decode and install multiple constraint objects from a single multi-document manifest path.
- Add another catalog field for bundle constraint manifests that can contain multiple objects.
Example use case
A policy catalog may want a single bundle to install:
- one
ConstraintTemplate; and
- multiple default
Constraint instances for that template, each with different parameters, names, match criteria, or enforcement settings.
Today this requires workarounds such as creating catalog-only alias policies, generating the catalog and post-processing it, or splitting a logically single template into multiple templates only to satisfy catalog/install limitations.
Why this matters
Supporting multiple default constraints per template would make Gator-generated catalogs more flexible and would better match how Gatekeeper itself can use one ConstraintTemplate with many Constraint instances.
Summary
gator policy generate-catalogandgator policy install --bundlecurrently appear to support at most one default constraint manifest perConstraintTemplateper bundle.This makes it difficult for a catalog bundle to install multiple preconfigured
Constraintinstances that share the sameConstraintTemplatebut use different names/parameters.Current behavior
The generated catalog shape uses a single string path for each policy/bundle pair, for example:
Because
bundleConstraintsmaps each bundle name to one path, a bundle cannot naturally express:The generator also discovers constraints from sample directories and picks a single matching/fallback constraint file per bundle, so multiple sample constraints for the same template and bundle cannot all be represented.
Separately, using a single multi-document YAML file does not seem to work with the current installer path, because the installer unmarshals the fetched constraint YAML into one
unstructured.Unstructuredand installs one object. A KubernetesListobject would also not behave as a set of constraints because the installer expects the object itself to be a constraint.Desired behavior
It would be useful for Gator catalogs/bundles to support multiple default constraint manifests for the same
ConstraintTemplatein the same bundle.Possible approaches could include one or more of:
bundleConstraintsvalues to be a list of paths while preserving compatibility with the existing string form.generate-catalog --bundlesto specify explicit constraint paths per policy/bundle.policy installto decode and install multiple constraint objects from a single multi-document manifest path.Example use case
A policy catalog may want a single bundle to install:
ConstraintTemplate; andConstraintinstances for that template, each with different parameters, names, match criteria, or enforcement settings.Today this requires workarounds such as creating catalog-only alias policies, generating the catalog and post-processing it, or splitting a logically single template into multiple templates only to satisfy catalog/install limitations.
Why this matters
Supporting multiple default constraints per template would make Gator-generated catalogs more flexible and would better match how Gatekeeper itself can use one
ConstraintTemplatewith manyConstraintinstances.