Support regex patterns in permission rules (settings.local.json)
Feature Request
Problem
The current permission system in settings.local.json only supports glob patterns with *. This makes it impossible to express patterns where a variable segment appears in the middle of a command, followed by a fixed suffix.
Example Use Case
I want to allow kubectl exec into pods matching a name prefix, but only for specific subcommands:
{
"permissions": {
"allow": [
"Bash(kubectl exec tfapplymanual-* -- kubectl get *)",
"Bash(kubectl exec tfapplymanual-* -- kubectl describe *)",
"Bash(kubectl exec tfapplymanual-* -- kubectl logs *)"
]
}
}
This does not work reliably because the * in the middle (for the pod name suffix) does not match as expected. The only workaround is Bash(kubectl exec tfapplymanual-:*), which is too broad — it allows any command inside the pod, not just kubectl get/describe/logs.
Proposed Solution
Support regex patterns in permission rules. For example:
{
"permissions": {
"allow": [
"Bash(regex:kubectl exec tfapplymanual-[a-z0-9-]+ -- kubectl (get|describe|logs) .*)"
]
}
}
This would allow precise control over which commands are auto-approved while handling variable segments like pod names, container IDs, namespaces, etc.
Alternatives Considered
- Glob patterns: Cannot express "variable middle, fixed suffix" patterns reliably
- PreToolUse hooks: Work but require external scripts and are more complex to set up and maintain for what should be a simple permission rule
- Broad prefix match (
Bash(kubectl exec tfapplymanual-:*)): Too permissive — cannot restrict to specific subcommands
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗