From 110d80ba23a343afeee81c9957672d21516bfbd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Tue, 16 Apr 2024 11:27:09 -0300 Subject: [PATCH 1/2] fix: questions-ui.yml missing latest configuration. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The questions-ui.yml file is missing the latest configuration added: ignoreValues. This commits adds this new field in the file. As well as, configures the other fields to be hidden when user sets ignoreValue to false. Signed-off-by: José Guilherme Vanz --- artifacthub-pkg.yml | 24 +++++++++++++++++++++++- questions-ui.yml | 22 ++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/artifacthub-pkg.yml b/artifacthub-pkg.yml index 436d86f..5ded5a4 100644 --- a/artifacthub-pkg.yml +++ b/artifacthub-pkg.yml @@ -7,7 +7,7 @@ version: 0.2.2 name: container-resources displayName: Container Resources -createdAt: 2024-03-15T17:07:43.480376548Z +createdAt: 2024-04-12T11:54:02.226315046Z description: Policy is designed to enforce constraints on the resource requirements of Kubernetes containers license: Apache-2.0 homeURL: https://github.com/kubewarden/container-resources-policy @@ -60,6 +60,14 @@ annotations: type: map[ variable: cpu subquestions: + - default: false + group: Settings + label: Ignore values + title: Ignore values + type: boolean + variable: cpu.ignoreValues + tooltip: >- + Skip enforcement of specific values, but ensure that requests and limits are set - default: '' tooltip: >- Defines default minimum CPU requested. @@ -67,6 +75,7 @@ annotations: label: Default CPU requested type: string variable: cpu.defaultRequest + show_if: cpu.ignoreValues=false - default: '' tooltip: >- Defines default CPU limit value. @@ -74,6 +83,7 @@ annotations: label: Default CPU limit type: string variable: cpu.defaultLimit + show_if: cpu.ignoreValues=false - default: '' tooltip: >- Defines maximum limit value allowed to be set for the CPU resource @@ -81,6 +91,7 @@ annotations: label: Max CPU limit allowed type: string variable: cpu.maxLimit + show_if: cpu.ignoreValues=false - default: {} description: Defines the limit and minimum amount requested for memory resource group: Settings @@ -89,6 +100,14 @@ annotations: type: map[ variable: memory subquestions: + - default: false + group: Settings + label: Ignore values + title: Ignore values + type: boolean + variable: memory.ignoreValues + tooltip: >- + Skip enforcement of specific values, but ensure that requests and limits are set - default: '' tooltip: >- Defines default minimum memory requested. @@ -96,6 +115,7 @@ annotations: label: Default memory requested type: string variable: memory.defaultRequest + show_if: memory.ignoreValues=false - default: '' tooltip: >- Defines default memory limit value. @@ -103,6 +123,7 @@ annotations: label: Default memory limit type: string variable: memory.defaultLimit + show_if: memory.ignoreValues=false - default: '' tooltip: >- Defines maximum limit value allowed to be set for the memory resource @@ -110,6 +131,7 @@ annotations: label: Max memory limit allowed type: string variable: memory.maxLimit + show_if: memory.ignoreValues=false - default: [] description: >- Configuration used to exclude containers from enforcement diff --git a/questions-ui.yml b/questions-ui.yml index 20e4372..518ac6a 100644 --- a/questions-ui.yml +++ b/questions-ui.yml @@ -17,6 +17,14 @@ questions: type: map[ variable: cpu subquestions: + - default: false + group: Settings + label: Ignore values + title: Ignore values + type: boolean + variable: cpu.ignoreValues + tooltip: >- + Skip enforcement of specific values, but ensure that requests and limits are set - default: '' tooltip: >- Defines default minimum CPU requested. @@ -24,6 +32,7 @@ questions: label: Default CPU requested type: string variable: cpu.defaultRequest + show_if: cpu.ignoreValues=false - default: '' tooltip: >- Defines default CPU limit value. @@ -31,6 +40,7 @@ questions: label: Default CPU limit type: string variable: cpu.defaultLimit + show_if: cpu.ignoreValues=false - default: '' tooltip: >- Defines maximum limit value allowed to be set for the CPU resource @@ -38,6 +48,7 @@ questions: label: Max CPU limit allowed type: string variable: cpu.maxLimit + show_if: cpu.ignoreValues=false - default: {} description: Defines the limit and minimum amount requested for memory resource group: Settings @@ -46,6 +57,14 @@ questions: type: map[ variable: memory subquestions: + - default: false + group: Settings + label: Ignore values + title: Ignore values + type: boolean + variable: memory.ignoreValues + tooltip: >- + Skip enforcement of specific values, but ensure that requests and limits are set - default: '' tooltip: >- Defines default minimum memory requested. @@ -53,6 +72,7 @@ questions: label: Default memory requested type: string variable: memory.defaultRequest + show_if: memory.ignoreValues=false - default: '' tooltip: >- Defines default memory limit value. @@ -60,6 +80,7 @@ questions: label: Default memory limit type: string variable: memory.defaultLimit + show_if: memory.ignoreValues=false - default: '' tooltip: >- Defines maximum limit value allowed to be set for the memory resource @@ -67,6 +88,7 @@ questions: label: Max memory limit allowed type: string variable: memory.maxLimit + show_if: memory.ignoreValues=false - default: [] description: >- Configuration used to exclude containers from enforcement From 84a923c6a71965b98c954e6678e0c8f246336955 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Tue, 16 Apr 2024 11:27:30 -0300 Subject: [PATCH 2/2] fix(docs): add note about other admission controllers. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updates the README.md file mentioning that other admission controller could mutate the request before the policy. Which can leads to confusing result like a resource that looks first invalid get being accepted by the policy due a previous mutation fixing the resource. Signed-off-by: José Guilherme Vanz --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 92b6261..4cd170f 100644 --- a/README.md +++ b/README.md @@ -55,6 +55,13 @@ the `defaultRequest`, `defaultLimit`, and `maxLimit` fields, if set, will be ignored. Additionally, `ignoreValues` default value is `false`, so it's recommended to only provide it when you want to set it to `true`. +> [!NOTE] +> The admission request review evaluated by the policy could be mutated by +> another admission controller, like the LimitRange admission controller. This +> means that the policy could accept a resource that at first looks invalid, but +> that is later mutated by another admission controller to be valid. For example, +> LimitRange will set the default request values if they are not set. + Any container that uses an image that matches an entry in this list will be excluded from enforcement.