Enable Gatekeeper Rego Packages to be Imported From Outside of Template

[bravurasteve]

Describe the solution you'd like
Similar to how templates can import a library package defined within the template, allow the template to import a rego package defined outside the template.

e.g. common.rego:

package k8scommonaccess

in_approved_group {
   input.review.userInfo.groups[_] == input.parameters.approved_groups[_}
}

Anything else you would like to add:
As more and more templates are created, having to copy/paste the same common rego functions over and over becomes a maintenance nightmare; when/if the common function needs to be modified, having to make the changes in a single rego package file is highly desired over having to make it in multiple template files.

Environment:

• Gatekeeper version: v3.17.1
• Kubernetes version: v1.28:

[maxsmythe]

I'd suggest creating a pipeline that bakes the shared code into templates, similar to static linking when building a binary. That way shared code does not become a human maintenance burden. Using the libs keyword you cite should make this a fairly trivial pipeline to build.

See the below comment for why dynamically linking code from outside the template at runtime is operationally fraught:

#1204 (comment)

[bravurasteve]

The problem w/ the pipeline approach is the dependency upon a pipeline which means no way to run/test via command line. Also, I wouldn't characterize the concept of reusable libraries as being dynamically linked since many other languages support the concept and statically link; e.g. Golang, Rust, etc.