Skip to content

[Initiative] ValidatingAdmissionPolicy Engine for Catalog Objects #106

Open
Task
Open
[Initiative] ValidatingAdmissionPolicy Engine for Catalog Objects#106
Task
Labels
area/catalogenhancementNew feature or requestinitiativeInitiative item for trackingpriority/p2High
@juliuskrah

Description

@juliuskrah
juliuskrah
opened on May 6, 2026

Summary

Introduce a ValidatingAdmissionPolicy mechanism in gitstore-api to enforce policy rules against catalog objects at admission time, inspired by Kubernetes Admission Control. Policies are evaluated as part of the validation pipeline established by the parent initiative.

Scope

In Scope

  • Define a ValidatingAdmissionPolicy resource type and a policy evaluation engine within gitstore-api.
  • Allow policies to be expressed as declarative rules (CEL expressions or equivalent) applied to catalog objects.
  • Integrate policy evaluation into the validation pipeline introduced by the parent initiative so every admission request passes through both schema validation and active admission policies.
  • Support a default deny-on-error posture: if policy evaluation fails due to an engine error, the admission request is rejected.
  • Provide built-in baseline policies covering the catalog field constraints currently encoded as hard-coded validation rules.
  • Integration tests for policy evaluation covering ACCEPT, REJECT, and ABSTAIN scenarios.

Out of Scope

  • Mutating admission policies (object transformation on write).
  • Policy storage in an external policy engine (e.g., OPA, Kyverno) — policies are loaded from the compiled binary in this iteration.
  • GUI for authoring or managing policies.
  • Dynamic ordering of policies - policies are evaluated in lexicographic order

Acceptance Criteria

  • A ValidatingAdmissionPolicy can be defined and loaded by gitstore-api.
  • Policy rules are evaluated against incoming catalog objects during the admission validation flow.
  • A failing policy denies the admission request with a structured error message identifying the policy and rule that failed.
  • An engine error during policy evaluation results in denial (fail-closed).
  • Built-in baseline policies replicate the hard-coded field constraints from schema validation.
  • Integration tests cover: policy allow, policy deny, engine error (deny), and abstain passthrough.

Dependencies

Tracking

  • Milestone: TBD

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/catalogenhancementNew feature or requestinitiativeInitiative item for trackingpriority/p2High

    Type

    Task

    Fields

    No fields configured for Task.

    Projects

    GitStore Roadmap

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions