ci: testing with cel policies (#519)

* testing with cel policies

Signed-off-by: Jaydip Gabani <[email protected]>

* --set enableK8sNativeValidation=false for rego engine

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing uploading artifacts in ci

Signed-off-by: Jaydip Gabani <[email protected]>

* removing blank line

Signed-off-by: Jaydip Gabani <[email protected]>

* adding engine rego

Signed-off-by: Jaydip Gabani <[email protected]>

* adding engine rego

Signed-off-by: Jaydip Gabani <[email protected]>

* correcting required label cel policy

Signed-off-by: Jaydip Gabani <[email protected]>

* removing CEL from policies

Signed-off-by: Jaydip Gabani <[email protected]>

* Using sed to modify gk.yml

Signed-off-by: Jaydip Gabani <[email protected]>

* adding required label policy and fixing deployment for gk

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing ci

Signed-off-by: Jaydip Gabani <[email protected]>

* adding not allowed label value example for required label policy

Signed-off-by: Jaydip Gabani <[email protected]>

* testing cel with 3.16+

Signed-off-by: Jaydip Gabani <[email protected]>

* changing required label cel

Signed-off-by: Jaydip Gabani <[email protected]>

* only testing rego for 3.15

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing ci

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing ci

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing examples

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing CEL code

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing ci

Signed-off-by: Jaydip Gabani <[email protected]>

* fixing ci

Signed-off-by: Jaydip Gabani <[email protected]>

* testing with gk 3.16.1

Signed-off-by: Jaydip Gabani <[email protected]>

* testing with gk 3.16.2

Signed-off-by: Jaydip Gabani <[email protected]>

---------

Signed-off-by: Jaydip Gabani <[email protected]>

Author: JaydipGabani

.github/workflows/workflow.yaml

@@ -65,29 +65,35 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        gatekeeper: [ "release-3.13", "release-3.14" ]
-    name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }}"
+        gatekeeper: [ "3.15.1", "3.16.2" ]
+        engine: [ "cel", "rego" ]
+    name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }} for ${{ matrix.engine }} policies"
     steps:
       - name: Harden Runner
+        if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }} # remove this condition once 3.17 is out
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
         with:
           egress-policy: audit
 
       - name: Check out code into the Go module directory
+        if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
         uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Bootstrap integration test
+        if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
         run: |
           mkdir -p $GITHUB_WORKSPACE/bin
           echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
           make integration-bootstrap
-          make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }}
+          make deploy GATEKEEPER_VERSION=${{ matrix.gatekeeper }} POLICY_ENGINE=${{ matrix.engine }}
 
       - name: Run integration test
+        if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
         run: |
           make test-integration
 
       - name: Save logs
+        if: ${{ !(matrix.gatekeeper == '3.15.1' && matrix.engine == 'cel') }}
         run: |
           kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
           kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json
@@ -96,7 +102,7 @@ jobs:
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: ${{ always() }}
         with:
-          name: logs-int-test-${{ matrix.gatekeeper }}
+          name: logs-int-test-${{ matrix.gatekeeper }}-${{ matrix.engine }}
           path: |
             logs-*.json
   require_suites:
@@ -127,7 +133,10 @@ jobs:
           make require-sync
   gator-verify:
     runs-on: ubuntu-latest
-    name: "Verify assertions in suite.yaml files"
+    strategy:
+      matrix:
+        engine: [ "cel", "rego" ]
+    name: "Verify assertions in suite.yaml files for ${{ matrix.engine }} policies"
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
@@ -136,4 +145,4 @@ jobs:
 
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - run: |
-          make verify-gator-dockerized
+          make verify-gator-dockerized POLICY_ENGINE=${{ matrix.engine }}

Makefile

@@ -3,10 +3,11 @@ KIND_VERSION ?= 0.17.0
 # note: k8s version pinned since KIND image availability lags k8s releases
 KUBERNETES_VERSION ?= 1.26.0
 KUSTOMIZE_VERSION ?= 4.5.5
-GATEKEEPER_VERSION ?= release-3.11
+GATEKEEPER_VERSION ?= 3.16.0
 BATS_VERSION ?= 1.8.2
-GATOR_VERSION ?= 3.11.0
+GATOR_VERSION ?= 3.16.0
 GOMPLATE_VERSION ?= 3.11.6
+POLICY_ENGINE ?= rego
 
 REPO_ROOT := $(shell git rev-parse --show-toplevel)
 WEBSITE_SCRIPT_DIR := $(REPO_ROOT)/scripts/website
@@ -31,21 +32,36 @@ integration-bootstrap:
 	TERM=dumb ${GITHUB_WORKSPACE}/bin/kind create cluster --image kindest/node:v${KUBERNETES_VERSION} --wait 5m --config=test/kind_config.yaml
 
 deploy:
-	kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/${GATEKEEPER_VERSION}/deploy/gatekeeper.yaml
+	helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
+ifeq ($(POLICY_ENGINE), rego)
+	helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=false
+else ifeq ($(POLICY_ENGINE), cel)
+ifneq ($(GATEKEEPER_VERSION), 3.15.1)
+	helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true
+endif
+endif
 
 uninstall:
-	kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/${GATEKEEPER_VERSION}/deploy/gatekeeper.yaml
+	helm uninstall -n gatekeeper-system gatekeeper
 
 test-integration:
 	bats -t test/bats/test.bats
 
 .PHONY: verify-gator
 verify-gator:
-	gator verify ./...
+ifeq ($(POLICY_ENGINE), rego)
+	gator verify ./... --experimental-enable-k8s-native-validation=false
+else ifeq ($(POLICY_ENGINE), cel)
+	gator verify ./... --experimental-enable-k8s-native-validation=true
+endif
 
 .PHONY: verify-gator-dockerized
 verify-gator-dockerized: __build-gator
-	$(docker) run -i -v $(shell pwd):/gatekeeper-library gator-container verify ./...
+ifeq ($(POLICY_ENGINE), rego)
+	$(docker) run -i -v $(shell pwd):/gatekeeper-library gator-container verify ./... --experimental-enable-k8s-native-validation=false
+else ifeq ($(POLICY_ENGINE), cel)
+	$(docker) run -i -v $(shell pwd):/gatekeeper-library gator-container verify ./... --experimental-enable-k8s-native-validation=true
+endif
 
 .PHONY: build-gator
 __build-gator:

artifacthub/library/general/requiredlabels/1.1.0/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.0
+name: k8srequiredlabels
+displayName: Required Labels
+createdAt: "2024-05-10T23:29:29Z"
+description: Requires resources to contain specified labels, with values matching provided regular expressions.
+digest: 84897cdfe60dbe9c1726581fe0626d254477a176b143a2cff36b5cf24465e8b8
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/requiredlabels
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Required Labels
+    Requires resources to contain specified labels, with values matching provided regular expressions.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/requiredlabels/1.1.0/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/requiredlabels/1.1.0/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/requiredlabels/1.1.0/samples/all-must-have-owner/constraint.yaml

@@ -0,0 +1,14 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: all-must-have-owner
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"

artifacthub/library/general/requiredlabels/1.1.0/samples/all-must-have-owner/example_allowed.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: allowed-namespace
+  labels:
+    owner: user.agilebank.demo

artifacthub/library/general/requiredlabels/1.1.0/samples/all-must-have-owner/example_disallowed.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: disallowed-namespace

artifacthub/library/general/requiredlabels/1.1.0/samples/all-must-have-owner/example_disallowed_label_value.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: disallowed-namespace
+  labels:
+    owner: user

artifacthub/library/general/requiredlabels/1.1.0/suite.yaml

@@ -0,0 +1,21 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: requiredlabels
+tests:
+- name: must-have-owner
+  template: template.yaml
+  constraint: samples/all-must-have-owner/constraint.yaml
+  cases:
+  - name: example-allowed
+    object: samples/all-must-have-owner/example_allowed.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed
+    object: samples/all-must-have-owner/example_disallowed.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-label-value
+    object: samples/all-must-have-owner/example_disallowed_label_value.yaml
+    assertions:
+    - violations: yes

artifacthub/library/general/requiredlabels/1.1.0/template.yaml

@@ -0,0 +1,79 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+  annotations:
+    metadata.gatekeeper.sh/title: "Required Labels"
+    metadata.gatekeeper.sh/version: 1.1.0
+    description: >-
+      Requires resources to contain specified labels, with values matching
+      provided regular expressions.
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              description: >-
+                A list of labels and values the object must specify.
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                    description: >-
+                      The required label.
+                  allowedRegex:
+                    type: string
+                    description: >-
+                      If specified, a regular expression the annotation's value
+                      must match. The value must contain at least one match for
+                      the regular expression.
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+      - engine: K8sNativeValidation
+        source:
+          validations:
+          - expression: '(has(object.metadata) && variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels))'
+            messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
+          - expression: '(has(object.metadata) && variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
+            message: "regex mismatch"
+      - engine: Rego
+        source:
+          rego: |
+            package k8srequiredlabels
+
+            get_message(parameters, _default) := _default {
+              not parameters.message
+            }
+
+            get_message(parameters, _) := parameters.message
+
+            violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+              provided := {label | input.review.object.metadata.labels[label]}
+              required := {label | label := input.parameters.labels[_].key}
+              missing := required - provided
+              count(missing) > 0
+              def_msg := sprintf("you must provide labels: %v", [missing])
+              msg := get_message(input.parameters, def_msg)
+            }
+
+            violation[{"msg": msg}] {
+              value := input.review.object.metadata.labels[key]
+              expected := input.parameters.labels[_]
+              expected.key == key
+              # do not match if allowedRegex is not defined, or is an empty string
+              expected.allowedRegex != ""
+              not regex.match(expected.allowedRegex, value)
+              def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+              msg := get_message(input.parameters, def_msg)
+            }
+

library/general/requiredlabels/samples/all-must-have-owner/example_disallowed_label_value.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: disallowed-namespace
+  labels:
+    owner: user

library/general/requiredlabels/suite.yaml

@@ -15,3 +15,7 @@ tests:
     object: samples/all-must-have-owner/example_disallowed.yaml
     assertions:
     - violations: yes
+  - name: example-disallowed-label-value
+    object: samples/all-must-have-owner/example_disallowed_label_value.yaml
+    assertions:
+    - violations: yes

library/general/requiredlabels/template.yaml

@@ -4,7 +4,7 @@ metadata:
   name: k8srequiredlabels
   annotations:
     metadata.gatekeeper.sh/title: "Required Labels"
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.1.0
     description: >-
       Requires resources to contain specified labels, with values matching
       provided regular expressions.
@@ -38,31 +38,42 @@ spec:
                       the regular expression.
   targets:
     - target: admission.k8s.gatekeeper.sh
-      rego: |
-        package k8srequiredlabels
+      code:
+      - engine: K8sNativeValidation
+        source:
+          validations:
+          - expression: '(has(object.metadata) && variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels))'
+            messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
+          - expression: '(has(object.metadata) && variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
+            message: "regex mismatch"
+      - engine: Rego
+        source:
+          rego: |
+            package k8srequiredlabels
 
-        get_message(parameters, _default) := _default {
-          not parameters.message
-        }
+            get_message(parameters, _default) := _default {
+              not parameters.message
+            }
 
-        get_message(parameters, _) := parameters.message
+            get_message(parameters, _) := parameters.message
 
-        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
-          provided := {label | input.review.object.metadata.labels[label]}
-          required := {label | label := input.parameters.labels[_].key}
-          missing := required - provided
-          count(missing) > 0
-          def_msg := sprintf("you must provide labels: %v", [missing])
-          msg := get_message(input.parameters, def_msg)
-        }
+            violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+              provided := {label | input.review.object.metadata.labels[label]}
+              required := {label | label := input.parameters.labels[_].key}
+              missing := required - provided
+              count(missing) > 0
+              def_msg := sprintf("you must provide labels: %v", [missing])
+              msg := get_message(input.parameters, def_msg)
+            }
+
+            violation[{"msg": msg}] {
+              value := input.review.object.metadata.labels[key]
+              expected := input.parameters.labels[_]
+              expected.key == key
+              # do not match if allowedRegex is not defined, or is an empty string
+              expected.allowedRegex != ""
+              not regex.match(expected.allowedRegex, value)
+              def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
+              msg := get_message(input.parameters, def_msg)
+            }
 
-        violation[{"msg": msg}] {
-          value := input.review.object.metadata.labels[key]
-          expected := input.parameters.labels[_]
-          expected.key == key
-          # do not match if allowedRegex is not defined, or is an empty string
-          expected.allowedRegex != ""
-          not regex.match(expected.allowedRegex, value)
-          def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
-          msg := get_message(input.parameters, def_msg)
-        }

src/general/requiredlabels/constraint.tmpl

@@ -4,7 +4,7 @@ metadata:
   name: k8srequiredlabels
   annotations:
     metadata.gatekeeper.sh/title: "Required Labels"
-    metadata.gatekeeper.sh/version: 1.0.1
+    metadata.gatekeeper.sh/version: 1.1.0
     description: >-
       Requires resources to contain specified labels, with values matching
       provided regular expressions.
@@ -38,5 +38,12 @@ spec:
                       the regular expression.
   targets:
     - target: admission.k8s.gatekeeper.sh
-      rego: |
-{{ file.Read "src/general/requiredlabels/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }}
+      code:
+      - engine: K8sNativeValidation
+        source:
+{{ file.Read "src/general/requiredlabels/src.cel" | strings.Indent 10 | strings.TrimSuffix "\n" }}
+      - engine: Rego
+        source:
+          rego: |
+{{ file.Read "src/general/requiredlabels/src.rego" | strings.Indent 12 | strings.TrimSuffix "\n" }}
+