-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exclude UPDATE
operations in constraints for immutable fields
#348
Conversation
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Hi @apeabody @maxsmythe , could you take a look? Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @ordovicia!
A few thoughts/questions:
- Just confirming we want/need to exclude
PATCH
? The default validating webhook verbs areCREATE
andUPDATE
: https://github.com/open-policy-agent/gatekeeper/blob/v3.12.0/deploy/gatekeeper.yaml#L3747 | @maxsmythe, any caveats toPATCH
? - Thanks for the rego/opa test for
lib.exclude_update_patch
! We should probably also include some tests for the templates (and maybe even constraints):- For the templates you can add
"operation": "UPDATE"
to the"review": {}
, for example: https://github.com/open-policy-agent/gatekeeper-library/blob/master/src/general/automount-serviceaccount-token/src_test.rego#L10 - For the constraints you could use a
AdmissionReview
object to includerequest.operation: UPDATE
for the test suite.
- For the templates you can add
PATCH is probably irrelevant. From the K8s docs:
|
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Thank you for the comments! Fixed to exclude |
Thanks @ordovicia! You should be able to use a
The idea being this |
UPDATE
and PATCH
operations in constraints for immutable fieldsUPDATE
operations in constraints for immutable fields
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Thank you @apeabody ! |
Hi @apeabody @maxsmythe , could you take a look again? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Signed-off-by: Hidehito Yabuuchi <[email protected]>
Hi @apeabody please merge this if it's OK. Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution @ordovicia!
Another maintainer will need to review as well.
Co-authored-by: Andrew Peabody <[email protected]> Signed-off-by: Hidehito Yabuuchi <[email protected]>
Signed-off-by: Hidehito Yabuuchi <[email protected]>
690b5f3
to
04106cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks for the fix @ordovicia! 🎉 I updated the PR description to remove patch
.
What this PR does / why we need it: This PR will fix a problem described in #346, by excluding
UPDATE
operations in constraint templates for immutable fields.Which issue(s) does this PR fix (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #346
Special notes for your reviewer: None.