mirror of
https://github.com/kubevela/kubevela.git
synced 2026-05-18 07:17:05 +00:00
f3b67e79ed
This commit implements Part 1 of the policy refactor plan, establishing
a clean and secure context structure for Application-scoped policies.
Key Changes:
1. Security: Metadata Filtering
- Added filterUserMetadata() to filter internal annotations/labels
- Prevents policies from accessing system annotations (app.oam.dev/*,
kubernetes.io/*, kubectl.kubernetes.io/*, etc.)
- O(1) map-based filtering for performance
2. Explicit Context Fields
- Added context.appName (instead of context.application.metadata.name)
- Added context.namespace, context.appRevision, context.appRevisionNum
- Added filtered context.appLabels and context.appAnnotations
- All exposed via process.Context infrastructure
3. Controlled Application Spec Access
- Added context.appComponents (components array only)
- Added context.appWorkflow (workflow object only)
- Added context.appPolicies (policies array only)
- Prevents unintended access to full Application CR
4. Removed context.application
- Completely removed to enforce explicit field access
- Deleted cleanApplicationForPolicyContext() helper function
- Forces security best practices
5. Removed context.prior
- Simplified incremental policy feature (can be added back later)
- Deleted associated test coverage
Test Changes:
- Deleted 3 test blocks relying on removed features
- Fixed TTL test expectation (CRD default is -1, not 0)
- Fixed WorkflowStep struct initialization
- All tests passing
Benefits:
- ✅ Clean API with explicit fields
- ✅ Security: No bypass to unfiltered metadata
- ✅ Forces best practices
- ✅ Simpler for policy authors
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>