Skip to content

Commit

Permalink
adding enforceVAP field on template
Browse files Browse the repository at this point in the history 
Signed-off-by: Jaydip Gabani <[email protected]>
  • Loading branch information
@JaydipGabani
JaydipGabani committed Apr 30, 2024
1 parent c2efb00 commit d1a2018
Show file tree
Hide file tree
Showing 20 changed files with 205 additions and 223 deletions.
9 changes: 9 additions & 0 deletions constraint/config/crds/templates.gatekeeper.sh_constrainttemplates.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
Expand Down Expand Up @@ -205,6 +208,9 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
Expand Down Expand Up @@ -335,6 +341,9 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
Expand Down
54 changes: 39 additions & 15 deletions constraint/deploy/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ spec:
- name: v1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
description: ConstraintTemplate is the Schema for the constrainttemplates
API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -74,8 +75,12 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -110,7 +115,8 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -124,7 +130,8 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
description: a unique identifier for the pod that wrote the
status
type: string
observedGeneration:
format: int64
Expand All @@ -143,7 +150,8 @@ spec:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
description: ConstraintTemplate is the Schema for the constrainttemplates
API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -200,8 +208,12 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -236,7 +248,8 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -250,7 +263,8 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
description: a unique identifier for the pod that wrote the
status
type: string
observedGeneration:
format: int64
Expand All @@ -269,7 +283,8 @@ spec:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
description: ConstraintTemplate is the Schema for the constrainttemplates
API
properties:
apiVersion:
description: |-
Expand Down Expand Up @@ -326,8 +341,12 @@ spec:
be specified in one place (either here or in the "rego" field)
items:
properties:
enforceVAP:
description: The flag to use VAP for enforcement.
type: boolean
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
description: 'The engine used to evaluate the code. Example:
"Rego". Required.'
type: string
source:
description: The source code for the template. Required.
Expand Down Expand Up @@ -362,7 +381,8 @@ spec:
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
description: CreateCRDError represents a single error caught
during parsing, compiling, etc.
properties:
code:
type: string
Expand All @@ -376,7 +396,8 @@ spec:
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
description: a unique identifier for the pod that wrote the
status
type: string
observedGeneration:
format: int64
Expand Down Expand Up @@ -409,7 +430,8 @@ spec:
scope: Cluster
versions:
- deprecated: true
deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead.
deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1
instead.
name: v1alpha1
schema:
openAPIV3Schema:
Expand Down Expand Up @@ -444,7 +466,8 @@ spec:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with https://.
description: URL is the url for the provider. URL is prefixed with
https://.
type: string
type: object
type: object
Expand Down Expand Up @@ -484,7 +507,8 @@ spec:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with https://.
description: URL is the url for the provider. URL is prefixed with
https://.
type: string
type: object
type: object
Expand Down
1 change: 0 additions & 1 deletion constraint/pkg/apis/externaldata/unversioned/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion constraint/pkg/apis/externaldata/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 0 additions & 1 deletion constraint/pkg/apis/externaldata/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions constraint/pkg/apis/templates/v1/constrainttemplate_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ type Code struct {
// +kubebuilder:validation:Required
Engine string `json:"engine"`

// +kubebuilder:validation:Required
// The flag to use VAP for enforcement.
EnforceVAP *bool `json:"enforceVAP,omitempty"`

// +kubebuilder:validation:Required
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Expand Down
2 changes: 2 additions & 0 deletions constraint/pkg/apis/templates/v1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,10 @@ type Code struct {
// +kubebuilder:validation:Required
Engine string `json:"engine"`

// +kubebuilder:validation:Required
// The flag to use VAP for enforcement.
EnforceVAP *bool `json:"enforceVAP,omitempty"`

// +kubebuilder:validation:Required
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Expand Down
2 changes: 2 additions & 0 deletions constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,10 @@ type Code struct {
// +kubebuilder:validation:Required
Engine string `json:"engine"`

// +kubebuilder:validation:Required
// The flag to use VAP for enforcement.
EnforceVAP *bool `json:"enforceVAP,omitempty"`

// +kubebuilder:validation:Required
// +kubebuilder:validation:Schemaless
// +kubebuilder:pruning:PreserveUnknownFields
Expand Down
2 changes: 2 additions & 0 deletions constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 3 additions & 12 deletions constraint/pkg/client/drivers/k8scel/args.go
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
package k8scel

type vapDefault string

const (
VAPGenerationLabel = "gatekeeper.sh/use-vap"
VAPDefaultYes = vapDefault("yes")
VAPDefaultNo = vapDefault("no")
)

type Arg func(*Driver) error

// GatherStats starts collecting various stats around the
Expand All @@ -21,16 +13,15 @@ func GatherStats() Arg {
}

// VAPGenerationDefault sets the expected default
// value of the `gatekeeper.sh/use-vap` label.
// value for generateVAP field.
// If no value is provided, VAP generation
// is presumed to be disabled and the engine will
// validate ALL policies. Otherwise, the engine
// will only validate policies not expected to be
// enforced via VAP.
func VAPGenerationDefault(d vapDefault) Arg {
func VAPGenerationDefault(d bool) Arg {
return func(driver *Driver) error {
driver.generateVAPDefault = &d

driver.generateVAPDefault = d
return nil
}
}
Loading

0 comments on commit d1a2018

Please sign in to comment.