From ca9a2326f17ed63e834d9c9c0db0ad13d07e31d8 Mon Sep 17 00:00:00 2001 From: Rita Zhang Date: Fri, 22 Mar 2024 16:06:27 -0700 Subject: [PATCH] feat: enable vap in helm Signed-off-by: Rita Zhang --- .github/workflows/workflow.yaml | 5 +++-- Makefile | 6 +++++- cmd/build/helmify/kustomize-for-helm.yaml | 2 ++ cmd/build/helmify/static/README.md | 2 ++ cmd/build/helmify/static/values.yaml | 2 ++ main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 ++ .../templates/gatekeeper-controller-manager-deployment.yaml | 2 ++ manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 9 files changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 1bfd0904039..9ea80aadec0 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -245,7 +245,8 @@ jobs: LOG_LEVEL=DEBUG make test-e2e \ - GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} \ + ENABLE_VAP_TESTS=1 - name: Save logs if: ${{ always() }} @@ -289,7 +290,7 @@ jobs: make e2e-bootstrap - name: Run e2e - run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release + run: | make docker-buildx \ IMG=gatekeeper-e2e:latest diff --git a/Makefile b/Makefile index a62729ef39d..faccede490f 100644 --- a/Makefile +++ b/Makefile @@ -249,6 +249,8 @@ else --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ + --set enableK8sNativeValidation=true \ + --set vapEnforcement=GATEKEEPER_DEFAULT \ --set mutationAnnotations=true endif @@ -288,6 +290,8 @@ e2e-helm-upgrade: --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ + --set enableK8sNativeValidation=true \ + --set vapEnforcement=GATEKEEPER_DEFAULT \ --set mutationAnnotations=true;\ e2e-subscriber-build-load-image: @@ -344,7 +348,7 @@ manifests: __controller-gen output:crd:artifacts:config=config/crd/bases ./build/update-match-schema.sh rm -rf manifest_staging - mkdir -p manifest_staging/deploy/experimental + mkdir -p manifest_staging/deploy mkdir -p manifest_staging/charts/gatekeeper docker run --rm -v $(shell pwd):/gatekeeper \ registry.k8s.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \ diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index bd8847ac979..6a336e57b37 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -93,6 +93,8 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --vap-enforcement={{ .Values.vapEnforcement }} - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION - HELMSUBST_METRICS_BACKEND_ARG - HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 7d77041443b..dacd51240ba 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -163,6 +163,8 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index b3f9b1fa9a9..b5c09987127 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +enableK8sNativeValidation: false +vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds diff --git a/main.go b/main.go index e609948bad7..81e47317475 100644 --- a/main.go +++ b/main.go @@ -115,7 +115,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "PROTOTYPE (not stable): enable the validating admission policy driver") + enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 7d77041443b..dacd51240ba 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -163,6 +163,8 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 2455339d122..df9807a6d96 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -72,6 +72,8 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} + - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --vap-enforcement={{ .Values.vapEnforcement }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} {{- range .Values.metricsBackends}} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index b3f9b1fa9a9..b5c09987127 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m +enableK8sNativeValidation: false +vapEnforcement: GATEKEEPER_DEFAULT image: repository: openpolicyagent/gatekeeper crdRepository: openpolicyagent/gatekeeper-crds