Skip to content

access_monitoring_rules: Implement schedules conditions #59044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 15, 2025
Merged

access_monitoring_rules: Implement schedules conditions #59044

merged 7 commits into from
Oct 15, 2025

Conversation

@bernardjkim
Copy link
Contributor

@bernardjkim bernardjkim commented Sep 11, 2025
edited
Loading

Supports: #51682, #55075
RFD: #57334
Requires: #59007

Changelog: Enabled use of schedules within automatic review and notification access_monitoring_rules

Base automatically changed from bernard/amr-schedules to master September 30, 2025 21:52
@bernardjkim bernardjkim force-pushed the bernard/condition-schedules branch from e7e61ea to 9607e8e Compare September 30, 2025 23:01
@bernardjkim bernardjkim force-pushed the bernard/condition-schedules branch from 9607e8e to ef4e98a Compare September 30, 2025 23:10
@bernardjkim bernardjkim marked this pull request as ready for review October 1, 2025 02:42
@github-actions github-actions bot requested review from atburke and ryanclark October 1, 2025 02:43
r0mant
r0mant reviewed Oct 1, 2025
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bernardjkim I've a question about the UX. Why is access_request.spec.creation_time.in_schedule(xxx) required at all as a part of the predicate condition? Would there be a downside to simplifying this and always applying the schedules if they're defined on the AMR?

@hugoShaka
Copy link
Contributor

hugoShaka commented Oct 1, 2025

@bernardjkim I've a question about the UX. Why is access_request.spec.creation_time.in_schedule(xxx) required at all as a part of the predicate condition? Would there be a downside to simplifying this and always applying the schedules if they're defined on the AMR?

I think that being explicit is better because you can combine with other rules, do OR, ... This is way more versatile than gluing a generic rule with an AND on top of the expression. This can also be extended if we add more data into the context. The design is inspired by what the OPA does.

@bernardjkim
Copy link
Contributor Author

bernardjkim commented Oct 1, 2025

@r0mant as discussed offline, I've simplified the implementation to remove the need for schedule conditions, and consider all schedules by default.

@hugoShaka we agree that the schedule conditions would provide a lot more versatility when configuring rules. However, we thought it might be best to keep it simple for now, and focus on the initial scope of the feature request. Open to discussing it more if you have strong opinions.

@bernardjkim bernardjkim requested review from r0mant and removed request for atburke and ryanclark October 1, 2025 22:22
@bernardjkim bernardjkim force-pushed the bernard/condition-schedules branch from 3cd53c6 to 46b4f85 Compare October 15, 2025 19:24
r0mant
r0mant approved these changes Oct 15, 2025
View reviewed changes
integrations/access/accessmonitoring/access_monitoring_rules.go
continue
}
if len(rule.GetSpec().GetSchedules()) != 0 && !isInSchedules {
continue
Copy link
Collaborator

@r0mant r0mant Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below, should we log that we're skipping the request because the schedule doesn't match?

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from hugoShaka October 15, 2025 22:22
@bernardjkim bernardjkim added this pull request to the merge queue Oct 15, 2025
Merged via the queue into master with commit bb166ff Oct 15, 2025
39 checks passed
@bernardjkim bernardjkim deleted the bernard/condition-schedules branch October 15, 2025 23:55
@backport-bot-workflows
Copy link
Contributor

backport-bot-workflows bot commented Oct 15, 2025

@bernardjkim See the table below for backport results.

Branch Result
branch/v18 Create PR

@bernardjkim bernardjkim mentioned this pull request Oct 16, 2025
Merged
mmcallister pushed a commit that referenced this pull request Nov 6, 2025
@bernardjkim @mmcallister
access_monitoring_rules: Implement schedules conditions (#59044)
9938399 
* Implement schedules conditions

* Fix lint

* Remove schedules predicate expression

Consider all configured schedules by default

* Support schedules within notification rules

* Use timezone during evaluation

* Add debug logs
mmcallister pushed a commit that referenced this pull request Nov 19, 2025
@bernardjkim @mmcallister
access_monitoring_rules: Implement schedules conditions (#59044)
43432e7 
* Implement schedules conditions

* Fix lint

* Remove schedules predicate expression

Consider all configured schedules by default

* Support schedules within notification rules

* Use timezone during evaluation

* Add debug logs
mmcallister pushed a commit that referenced this pull request Nov 20, 2025
@bernardjkim @mmcallister
access_monitoring_rules: Implement schedules conditions (#59044)
414f934 
* Implement schedules conditions

* Fix lint

* Remove schedules predicate expression

Consider all configured schedules by default

* Support schedules within notification rules

* Use timezone during evaluation

* Add debug logs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@marcoandredinis marcoandredinis marcoandredinis approved these changes

Assignees

No one assigned

Labels

backport/branch/v18 size/md

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bernardjkim @hugoShaka @r0mant @marcoandredinis