From 145681f946574887e0dbeac5b541df183b491f22 Mon Sep 17 00:00:00 2001 From: DorB-P Date: Wed, 3 Jul 2024 00:27:09 +0300 Subject: [PATCH] feat: add emitAllowAdmissionEvents helm option and align with emitDenyAdmissionEvents Signed-off-by: DorB-P --- Makefile | 15 +- a.txt | 1725 +++++++++++++++++ b.txt | 581 ++++++ cmd/build/helmify/kustomize-for-helm.yaml | 3 +- cmd/build/helmify/static/README.md | 7 +- cmd/build/helmify/static/values.yaml | 3 +- manifest_staging/charts/gatekeeper/README.md | 7 +- ...ekeeper-controller-manager-deployment.yaml | 3 +- .../charts/gatekeeper/values.yaml | 3 +- pkg/webhook/common.go | 3 +- pkg/webhook/policy.go | 39 +- test/bats/test.bats | 8 + .../all_ns_must_have_gatekeeper_events.yaml | 16 + test/bats/tests/good/good_ns.yaml | 2 + website/docs/customize-startup.md | 19 +- 15 files changed, 2404 insertions(+), 30 deletions(-) create mode 100644 a.txt create mode 100644 b.txt create mode 100644 test/bats/tests/constraints/all_ns_must_have_gatekeeper_events.yaml diff --git a/Makefile b/Makefile index 7a147dee4fd..bcfd73a450b 100644 --- a/Makefile +++ b/Makefile @@ -63,7 +63,8 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n args:\ \n - --port=8443\ \n - --logtostderr\ -\n - --emit-admission-events\ +\n - --emit-allow-admission-events\ +\n - --emit-deny-admission-events\ \n - --admission-events-involved-namespace\ \n - --exempt-namespace=${GATEKEEPER_NAMESPACE}\ \n - --operation=webhook\ @@ -205,8 +206,9 @@ ifeq ($(ENABLE_PUBSUB),true) --set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \ --set postInstall.labelNamespace.enabled=true \ --set postInstall.probeWebhook.enabled=true \ - --set emitAdmissionEvents=true \ + --set emitAllowAdmissionEvents=true \ --set emitAuditEvents=true \ + --set emitDenyAdmissionEvents=true \ --set admissionEventsInvolvedNamespace=true \ --set auditEventsInvolvedNamespace=true \ --set disabledBuiltins={http.send} \ @@ -230,8 +232,9 @@ else --set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \ --set postInstall.labelNamespace.enabled=true \ --set postInstall.probeWebhook.enabled=true \ - --set emitAdmissionEvents=true \ + --set emitAllowAdmissionEvents=true \ --set emitAuditEvents=true \ + --set emitDenyAdmissionEvents=true \ --set admissionEventsInvolvedNamespace=true \ --set auditEventsInvolvedNamespace=true \ --set disabledBuiltins={http.send} \ @@ -247,8 +250,9 @@ e2e-helm-upgrade-init: e2e-helm-install ./.staging/helm/linux-amd64/helm install gatekeeper gatekeeper/gatekeeper --version ${BASE_RELEASE} \ --namespace ${GATEKEEPER_NAMESPACE} --create-namespace \ --debug --wait \ - --set emitAdmissionEvents=true \ + --set emitAllowAdmissionEvents=true \ --set emitAuditEvents=true \ + --set emitDenyAdmissionEvents=true \ --set admissionEventsInvolvedNamespace=true \ --set auditEventsInvolvedNamespace=true \ --set postInstall.labelNamespace.enabled=true \ @@ -271,8 +275,9 @@ e2e-helm-upgrade: --set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \ --set postInstall.labelNamespace.enabled=true \ --set postInstall.probeWebhook.enabled=true \ - --set emitAdmissionEvents=true \ + --set emitAllowAdmissionEvents=true \ --set emitAuditEvents=true \ + --set emitDenyAdmissionEvents=true \ --set admissionEventsInvolvedNamespace=true \ --set auditEventsInvolvedNamespace=true \ --set disabledBuiltins={http.send} \ diff --git a/a.txt b/a.txt new file mode 100644 index 00000000000..92a98c3685e --- /dev/null +++ b/a.txt @@ -0,0 +1,1725 @@ +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "v1", + "count": 1549, + "eventTime": null, + "firstTimestamp": "2024-07-02T22:06:55Z", + "involvedObject": { + "kind": "Lease", + "name": "apiserver-4jsliixyekvcel2pxji4b4svru", + "namespace": "gatekeeper-system", + "uid": "Lease/kube-system/apiserver-4jsliixyekvcel2pxji4b4svru" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:12:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: kube-system", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:apiserver", + "resource_api_version": "v1", + "resource_group": "coordination.k8s.io", + "resource_kind": "Lease", + "resource_name": "apiserver-4jsliixyekvcel2pxji4b4svru", + "resource_namespace": "kube-system" + }, + "creationTimestamp": "2024-07-02T22:06:55Z", + "name": "apiserver-4jsliixyekvcel2pxji4b4svru.17de84b3df3fa2d6", + "namespace": "gatekeeper-system", + "resourceVersion": "25947", + "uid": "f11203e2-ecf1-47f2-b92e-389fa6a5e89b" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:23:05Z", + "involvedObject": { + "kind": "DenyGatekeeperEvents", + "name": "deny-gatekeeper-webhook-events", + "namespace": "gatekeeper-system", + "uid": "DenyGatekeeperEvents//deny-gatekeeper-webhook-events" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:23:05Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: ", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "kubernetes-admin", + "resource_api_version": "v1beta1", + "resource_group": "constraints.gatekeeper.sh", + "resource_kind": "DenyGatekeeperEvents", + "resource_name": "deny-gatekeeper-webhook-events", + "resource_namespace": "" + }, + "creationTimestamp": "2024-07-03T10:23:05Z", + "name": "deny-gatekeeper-webhook-events.17deacdffe9e4fb3", + "namespace": "gatekeeper-system", + "resourceVersion": "21729", + "uid": "0b524df8-4104-4ecd-96fd-4e52dfdb5a37" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 5, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:22:47Z", + "involvedObject": { + "kind": "ConstraintTemplate", + "name": "denygatekeeperevents", + "namespace": "gatekeeper-system", + "uid": "ConstraintTemplate//denygatekeeperevents" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:42:38Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: ", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "kubernetes-admin", + "resource_api_version": "v1", + "resource_group": "templates.gatekeeper.sh", + "resource_kind": "ConstraintTemplate", + "resource_name": "denygatekeeperevents", + "resource_namespace": "" + }, + "creationTimestamp": "2024-07-03T10:22:47Z", + "name": "denygatekeeperevents.17deacdbb188e974", + "namespace": "gatekeeper-system", + "resourceVersion": "23481", + "uid": "5b13613a-3dae-4eeb-9811-e6fe6123c937" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1550, + "eventTime": null, + "firstTimestamp": "2024-07-02T22:06:57Z", + "involvedObject": { + "kind": "Lease", + "name": "dortest-rep-control-plane", + "namespace": "gatekeeper-system", + "uid": "Lease/kube-node-lease/dortest-rep-control-plane" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:12:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: kube-node-lease", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "coordination.k8s.io", + "resource_kind": "Lease", + "resource_name": "dortest-rep-control-plane", + "resource_namespace": "kube-node-lease" + }, + "creationTimestamp": "2024-07-02T22:06:57Z", + "name": "dortest-rep-control-plane.17de84b43eba4706", + "namespace": "gatekeeper-system", + "resourceVersion": "25943", + "uid": "8a1f3013-1467-405e-8aa2-a36501eb1f31" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 7870, + "eventTime": null, + "firstTimestamp": "2024-07-02T22:06:56Z", + "involvedObject": { + "kind": "Lease", + "name": "kube-controller-manager", + "namespace": "gatekeeper-system", + "uid": "Lease/kube-system/kube-controller-manager" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:12:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: kube-system", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-controller-manager", + "resource_api_version": "v1", + "resource_group": "coordination.k8s.io", + "resource_kind": "Lease", + "resource_name": "kube-controller-manager", + "resource_namespace": "kube-system" + }, + "creationTimestamp": "2024-07-02T22:06:56Z", + "name": "kube-controller-manager.17de84b420f16a16", + "namespace": "gatekeeper-system", + "resourceVersion": "25945", + "uid": "c12be341-1526-4c18-8cd8-1006e19f65e5" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 7869, + "eventTime": null, + "firstTimestamp": "2024-07-02T22:06:56Z", + "involvedObject": { + "kind": "Lease", + "name": "kube-scheduler", + "namespace": "gatekeeper-system", + "uid": "Lease/kube-system/kube-scheduler" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:12:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: kube-system", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "coordination.k8s.io", + "resource_kind": "Lease", + "resource_name": "kube-scheduler", + "resource_namespace": "kube-system" + }, + "creationTimestamp": "2024-07-02T22:06:56Z", + "name": "kube-scheduler.17de84b41c4a6249", + "namespace": "gatekeeper-system", + "resourceVersion": "25949", + "uid": "472e1a1b-4e35-4105-be80-40ec6319aafa" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 9, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:15:42Z", + "involvedObject": { + "kind": "Pod", + "name": "not-privileged-pod3", + "namespace": "gatekeeper-system", + "uid": "Pod/default/not-privileged-pod3" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:47Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "kubernetes-admin", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Pod", + "resource_name": "not-privileged-pod3", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:15:42Z", + "name": "not-privileged-pod3.17deac78ad26c18c", + "namespace": "gatekeeper-system", + "resourceVersion": "26218", + "uid": "e13dcbad-37b3-4a42-b7a9-fc4f6fba7d6d" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 9, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:15:42Z", + "involvedObject": { + "kind": "Binding", + "name": "not-privileged-pod3", + "namespace": "gatekeeper-system", + "uid": "Binding/default/not-privileged-pod3" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:47Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Binding", + "resource_name": "not-privileged-pod3", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:15:42Z", + "name": "not-privileged-pod3.17deac78af1eeb03", + "namespace": "gatekeeper-system", + "resourceVersion": "26220", + "uid": "9f7ee789-edbf-42ec-9d6d-5e85d1a69789" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:16:52Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac891525382e", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac891525382e" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:16:52Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac891525382e", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:16:52Z", + "name": "not-privileged-pod3.17deac891525382e.17deac89154d9e9e", + "namespace": "gatekeeper-system", + "resourceVersion": "21182", + "uid": "064e48d0-76d5-48a9-96d9-0347c1f14565" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:17:30Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac91fdd6fec5", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac91fdd6fec5" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:17:30Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac91fdd6fec5", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:17:30Z", + "name": "not-privileged-pod3.17deac91fdd6fec5.17deac91fdfbff81", + "namespace": "gatekeeper-system", + "resourceVersion": "21244", + "uid": "b664861c-7bf0-4990-b411-3f5477f96419" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:17:31Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac92179e24d7", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac92179e24d7" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:17:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac92179e24d7", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:17:31Z", + "name": "not-privileged-pod3.17deac92179e24d7.17deac9217c151fa", + "namespace": "gatekeeper-system", + "resourceVersion": "21249", + "uid": "ebc2fc2b-1889-4a87-bbe9-10b816aac1a9" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:17:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac92638cda66", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac92638cda66" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:17:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac92638cda66", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:17:32Z", + "name": "not-privileged-pod3.17deac92638cda66.17deac9263b00de3", + "namespace": "gatekeeper-system", + "resourceVersion": "21255", + "uid": "a6a3b96b-c645-4aba-bb93-862bdad74738" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:17:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac926625e472", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac926625e472" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:17:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac926625e472", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:17:32Z", + "name": "not-privileged-pod3.17deac926625e472.17deac92664d3030", + "namespace": "gatekeeper-system", + "resourceVersion": "21257", + "uid": "7b548ffb-84e9-4cee-9caa-80e8337ca639" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:17:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deac9269f78bdc", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deac9269f78bdc" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:17:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deac9269f78bdc", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:17:32Z", + "name": "not-privileged-pod3.17deac9269f78bdc.17deac926a1e7ab0", + "namespace": "gatekeeper-system", + "resourceVersion": "21259", + "uid": "b402c753-a490-4d2f-95b7-6b7450d5101f" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:23:22Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deace3ea372616", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deace3ea372616" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:23:22Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deace3ea372616", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:23:22Z", + "name": "not-privileged-pod3.17deace3ea372616.17deace3ea763fdd", + "namespace": "gatekeeper-system", + "resourceVersion": "21767", + "uid": "8b27c584-aca1-4fa1-8149-fae68c41180e" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:28:51Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead308d01813c", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead308d01813c" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:28:51Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead308d01813c", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:28:51Z", + "name": "not-privileged-pod3.17dead308d01813c.17dead308d2c8ad0", + "namespace": "gatekeeper-system", + "resourceVersion": "22226", + "uid": "ceca2ad5-5ef7-420d-8ab3-6bf31c7df145" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:28:52Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead30a7a78fb1", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead30a7a78fb1" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:28:52Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead30a7a78fb1", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:28:52Z", + "name": "not-privileged-pod3.17dead30a7a78fb1.17dead30a7df45cf", + "namespace": "gatekeeper-system", + "resourceVersion": "22229", + "uid": "f0549c28-555a-4144-921e-32da753a36eb" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:28:53Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead30f4547729", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead30f4547729" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:28:53Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead30f4547729", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:28:53Z", + "name": "not-privileged-pod3.17dead30f4547729.17dead30f4930570", + "namespace": "gatekeeper-system", + "resourceVersion": "22232", + "uid": "979e2c71-265d-45ce-bb6e-6e99e95520d4" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:28:53Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead30f78c25c2", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead30f78c25c2" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:28:53Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead30f78c25c2", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:28:53Z", + "name": "not-privileged-pod3.17dead30f78c25c2.17dead30f7cd8096", + "namespace": "gatekeeper-system", + "resourceVersion": "22235", + "uid": "f0db24ad-e5e0-4155-a209-c100fef6f08d" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:28:53Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead30fc02b703", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead30fc02b703" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:28:53Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead30fc02b703", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:28:53Z", + "name": "not-privileged-pod3.17dead30fc02b703.17dead30fc2c11b0", + "namespace": "gatekeeper-system", + "resourceVersion": "22237", + "uid": "c69739ea-92c3-4394-9715-cf17de8c0f98" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:33:51Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead7644341cee", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead7644341cee" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:33:51Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead7644341cee", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:33:51Z", + "name": "not-privileged-pod3.17dead7644341cee.17dead764464d2f5", + "namespace": "gatekeeper-system", + "resourceVersion": "22646", + "uid": "7cd13db4-d539-4bbd-b654-79c017e030c0" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:34Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead8046a6c0b6", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead8046a6c0b6" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:34Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead8046a6c0b6", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:34Z", + "name": "not-privileged-pod3.17dead8046a6c0b6.17dead8046e56fdb", + "namespace": "gatekeeper-system", + "resourceVersion": "22714", + "uid": "08bf755e-2701-484b-a94f-73d55c14793f" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:34Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead805fae8b2c", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead805fae8b2c" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:34Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead805fae8b2c", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:34Z", + "name": "not-privileged-pod3.17dead805fae8b2c.17dead805fd782c3", + "namespace": "gatekeeper-system", + "resourceVersion": "22718", + "uid": "f22a412f-291a-4559-b7c6-15b26e113fa0" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:35Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead80a44ea8e3", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead80a44ea8e3" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:35Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead80a44ea8e3", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:35Z", + "name": "not-privileged-pod3.17dead80a44ea8e3.17dead80a479fdae", + "namespace": "gatekeeper-system", + "resourceVersion": "22723", + "uid": "bbf9a036-7b63-4d7e-97f0-a2763d1ab3b6" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:35Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead80a707a509", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead80a707a509" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:35Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead80a707a509", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:35Z", + "name": "not-privileged-pod3.17dead80a707a509.17dead80a7331ae1", + "namespace": "gatekeeper-system", + "resourceVersion": "22725", + "uid": "d5fdbb9f-1e2e-4892-8d19-c4c0392d0dde" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:35Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead80ab2469b2", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead80ab2469b2" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:35Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead80ab2469b2", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:35Z", + "name": "not-privileged-pod3.17dead80ab2469b2.17dead80ab4fb794", + "namespace": "gatekeeper-system", + "resourceVersion": "22727", + "uid": "e2e5de28-4dae-436c-9fc7-d5a7acd28589" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:34:36Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead80de1d53fb", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead80de1d53fb" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:34:36Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead80de1d53fb", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:34:36Z", + "name": "not-privileged-pod3.17dead80de1d53fb.17dead80de5ed774", + "namespace": "gatekeeper-system", + "resourceVersion": "22731", + "uid": "e5dc93ce-f0e7-4bf2-a426-42d705971ef0" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:36:30Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead9b75a03a8f", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead9b75a03a8f" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:36:30Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead9b75a03a8f", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:36:30Z", + "name": "not-privileged-pod3.17dead9b75a03a8f.17dead9b75e77aa0", + "namespace": "gatekeeper-system", + "resourceVersion": "22897", + "uid": "de09cfde-b26d-47bc-90b3-e6603c29ddb4" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:36:31Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead9b8fa21871", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead9b8fa21871" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:36:31Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead9b8fa21871", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:36:31Z", + "name": "not-privileged-pod3.17dead9b8fa21871.17dead9b8fcc3358", + "namespace": "gatekeeper-system", + "resourceVersion": "22900", + "uid": "f29a44bf-34b7-407d-8c68-05f5bad2ca46" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:36:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead9bdb09cdc7", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead9bdb09cdc7" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:36:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead9bdb09cdc7", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:36:32Z", + "name": "not-privileged-pod3.17dead9bdb09cdc7.17dead9bdb33bcab", + "namespace": "gatekeeper-system", + "resourceVersion": "22903", + "uid": "f903f233-6edb-4969-a4d8-d8c631a5ddc8" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:36:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead9bdda7d66f", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead9bdda7d66f" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:36:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead9bdda7d66f", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:36:32Z", + "name": "not-privileged-pod3.17dead9bdda7d66f.17dead9bddd07bb2", + "namespace": "gatekeeper-system", + "resourceVersion": "22905", + "uid": "60fd2a21-31b8-4981-a2f3-fff3dcf10e21" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:36:32Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17dead9be1c37e5f", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17dead9be1c37e5f" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:36:32Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17dead9be1c37e5f", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:36:32Z", + "name": "not-privileged-pod3.17dead9be1c37e5f.17dead9be1eac039", + "namespace": "gatekeeper-system", + "resourceVersion": "22907", + "uid": "d7206142-f7fe-4480-8d23-3897befdb31b" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:13Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadb36b874e0e", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadb36b874e0e" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:13Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadb36b874e0e", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:13Z", + "name": "not-privileged-pod3.17deadb36b874e0e.17deadb36bbfe482", + "namespace": "gatekeeper-system", + "resourceVersion": "23057", + "uid": "61896b5c-9d65-4793-af22-5f1fb8c5094a" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:48Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadbb8d990c43", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadbb8d990c43" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:48Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadbb8d990c43", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:48Z", + "name": "not-privileged-pod3.17deadbb8d990c43.17deadbb8dc6548f", + "namespace": "gatekeeper-system", + "resourceVersion": "23114", + "uid": "153a1405-7b10-42c9-ab7d-a1f8cac7d014" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:49Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadbba65e691f", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadbba65e691f" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:49Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadbba65e691f", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:49Z", + "name": "not-privileged-pod3.17deadbba65e691f.17deadbba6893ffc", + "namespace": "gatekeeper-system", + "resourceVersion": "23117", + "uid": "26a6ba74-cc0a-4ff7-8602-9e6ebf0f49f9" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:50Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadbc05714596", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadbc05714596" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:50Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadbc05714596", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:50Z", + "name": "not-privileged-pod3.17deadbc05714596.17deadbc05c6bb2e", + "namespace": "gatekeeper-system", + "resourceVersion": "23124", + "uid": "ef5ca6d7-3ea6-4144-b92a-4ee700df69e3" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:50Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadbc087b40e9", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadbc087b40e9" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:50Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadbc087b40e9", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:50Z", + "name": "not-privileged-pod3.17deadbc087b40e9.17deadbc08a390e6", + "namespace": "gatekeeper-system", + "resourceVersion": "23126", + "uid": "89130cb9-db5c-464e-adfd-88a92ee09a0c" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:38:50Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadbc0cde932d", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadbc0cde932d" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:38:50Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadbc0cde932d", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:38:50Z", + "name": "not-privileged-pod3.17deadbc0cde932d.17deadbc0d0d242d", + "namespace": "gatekeeper-system", + "resourceVersion": "23128", + "uid": "b6b1d333-9a13-46b4-bf2e-5418f72e34e3" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:17Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadde4c1ebb42", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadde4c1ebb42" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:17Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadde4c1ebb42", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:17Z", + "name": "not-privileged-pod3.17deadde4c1ebb42.17deadde4c5198a2", + "namespace": "gatekeeper-system", + "resourceVersion": "23343", + "uid": "1fa0cc88-43b1-40ce-bc7c-2f7ad827382c" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:49Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deade594642169", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deade594642169" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:49Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deade594642169", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:49Z", + "name": "not-privileged-pod3.17deade594642169.17deade5949d1276", + "namespace": "gatekeeper-system", + "resourceVersion": "23399", + "uid": "bab6e7e8-2d9a-47b3-bd4b-467ca7d11cfc" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:49Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deade5ae54fa8a", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deade5ae54fa8a" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:49Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deade5ae54fa8a", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:49Z", + "name": "not-privileged-pod3.17deade5ae54fa8a.17deade5ae7cf73f", + "namespace": "gatekeeper-system", + "resourceVersion": "23402", + "uid": "c9900321-044c-4750-9c40-f127c9996a0e" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:50Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deade5f9f7c105", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deade5f9f7c105" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:50Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deade5f9f7c105", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:50Z", + "name": "not-privileged-pod3.17deade5f9f7c105.17deade5fa24b7c8", + "namespace": "gatekeeper-system", + "resourceVersion": "23406", + "uid": "77f06b6a-55a8-4cd9-9ecf-17006ed5685b" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:51Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deade5fc9644c4", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deade5fc9644c4" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:51Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deade5fc9644c4", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:51Z", + "name": "not-privileged-pod3.17deade5fc9644c4.17deade5fcbdc7df", + "namespace": "gatekeeper-system", + "resourceVersion": "23408", + "uid": "af1e8613-0feb-49c1-ae77-d3e5a109ddeb" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:41:51Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deade601ec0bba", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deade601ec0bba" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:41:51Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" allowed request, Resource Namespace: default", + "metadata": { + "annotations": { + "event_type": "passed", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deade601ec0bba", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:41:51Z", + "name": "not-privileged-pod3.17deade601ec0bba.17deade602173b1e", + "namespace": "gatekeeper-system", + "resourceVersion": "23410", + "uid": "0ff65a06-47fd-452b-b15f-2dba0df2e2da" + }, + "reason": "AllowedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Normal" + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "" + } +} diff --git a/b.txt b/b.txt new file mode 100644 index 00000000000..1d6ff73f321 --- /dev/null +++ b/b.txt @@ -0,0 +1,581 @@ +{ + "apiVersion": "v1", + "items": [ + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:42:41Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deadf1d5e8f7ef", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deadf1d5e8f7ef/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:42:41Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deadf1d5e8f7ef\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:42:41Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23395\", \"uid\": \"d774f731-2ed8-498a-ba48-34ebdffaac65\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:42:41Z\", \"message\": \"Stopping container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:42:41Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:42:41Z\"}], \"name\": \"not-privileged-pod3.17deadf1d5e8f7ef\", \"namespace\": \"default\", \"uid\": \"2a0cbc2f-56ee-47aa-8d1c-84d7f51375b3\"}, \"reason\": \"Killing\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"8fce9ae5-5e0c-4413-a918-100769624c34\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deadf1d5e8f7ef", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:42:41Z", + "name": "not-privileged-pod3.17deadf1d5e8f7ef.17deadf1d61ce17c", + "namespace": "gatekeeper-system", + "resourceVersion": "23494", + "uid": "81e63231-5e04-456c-9308-7efae244ef71" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:44:23Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deae0984465ec6", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deae0984465ec6/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:44:23Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deae0984465ec6\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:44:23Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23633\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:44:23Z\", \"message\": \"Successfully assigned default/not-privileged-pod3 to dortest-rep-control-plane\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:44:23Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:source\": {\"f:component\": {}}, \"f:type\": {}}, \"manager\": \"kube-scheduler\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:44:23Z\"}], \"name\": \"not-privileged-pod3.17deae0984465ec6\", \"namespace\": \"default\", \"uid\": \"c2faecc0-559f-411e-aac1-9b40ba0d9ce0\"}, \"reason\": \"Scheduled\", \"reportingComponent\": \"default-scheduler\", \"reportingInstance\": \"\", \"source\": {\"component\": \"default-scheduler\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"21665364-d12b-43da-bee2-64733588a80c\", \"userInfo\": {\"groups\": [\"system:authenticated\"], \"username\": \"system:kube-scheduler\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deae0984465ec6", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:44:23Z", + "name": "not-privileged-pod3.17deae0984465ec6.17deae0984702096", + "namespace": "gatekeeper-system", + "resourceVersion": "23638", + "uid": "a3b05b2e-f1f6-43f0-8c27-b9abc5b45571" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:44:24Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deae099dfa34cf", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deae099dfa34cf/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:44:24Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deae099dfa34cf\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:44:24Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23634\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:44:24Z\", \"message\": \"Pulling image \\\"busybox\\\"\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:44:24Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:44:24Z\"}], \"name\": \"not-privileged-pod3.17deae099dfa34cf\", \"namespace\": \"default\", \"uid\": \"3f3930a8-0b9f-4ba6-94e7-fb2e55f648c5\"}, \"reason\": \"Pulling\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"591798e4-1148-47ea-8b80-f1d3149696a3\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deae099dfa34cf", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:44:24Z", + "name": "not-privileged-pod3.17deae099dfa34cf.17deae099e264b7b", + "namespace": "gatekeeper-system", + "resourceVersion": "23639", + "uid": "d23b4281-cd4a-42f7-aa79-e1a9d359afd4" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:44:25Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deae09ebc3acf4", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deae09ebc3acf4/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:44:25Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deae09ebc3acf4\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:44:25Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23634\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:44:25Z\", \"message\": \"Successfully pulled image \\\"busybox\\\" in 1.305s (1.305s including waiting). Image size: 2160406 bytes.\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:44:25Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:44:25Z\"}], \"name\": \"not-privileged-pod3.17deae09ebc3acf4\", \"namespace\": \"default\", \"uid\": \"1bac2dd5-81d0-42e5-811a-4656bcda309a\"}, \"reason\": \"Pulled\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"d99a377e-56d8-4ecc-87e3-e9abf5fa6de9\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deae09ebc3acf4", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:44:25Z", + "name": "not-privileged-pod3.17deae09ebc3acf4.17deae09ebf0ed9f", + "namespace": "gatekeeper-system", + "resourceVersion": "23641", + "uid": "b61e5f76-2ba2-4b27-b426-84fbab5835c3" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:44:25Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deae09eec250ae", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deae09eec250ae/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:44:25Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deae09eec250ae\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:44:25Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23634\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:44:25Z\", \"message\": \"Created container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:44:25Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:44:25Z\"}], \"name\": \"not-privileged-pod3.17deae09eec250ae\", \"namespace\": \"default\", \"uid\": \"7d70353d-c662-4599-9590-cc1289cb855d\"}, \"reason\": \"Created\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"c4854bac-fe3e-4150-966f-edc5589c5337\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deae09eec250ae", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:44:25Z", + "name": "not-privileged-pod3.17deae09eec250ae.17deae09ef0093ca", + "namespace": "gatekeeper-system", + "resourceVersion": "23643", + "uid": "32e01af8-baa5-47cc-b46b-63c90f803f41" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T10:44:25Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deae09f2d161dd", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deae09f2d161dd/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T10:44:25Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deae09f2d161dd\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T10:44:25Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23634\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T10:44:25Z\", \"message\": \"Started container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T10:44:25Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T10:44:25Z\"}], \"name\": \"not-privileged-pod3.17deae09f2d161dd\", \"namespace\": \"default\", \"uid\": \"e1f116c5-c05d-4b62-b49b-d2e28aef0fe4\"}, \"reason\": \"Started\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"2812366c-d1d3-4cc8-bedb-1be26e31ebd8\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deae09f2d161dd", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T10:44:25Z", + "name": "not-privileged-pod3.17deae09f2d161dd.17deae09f2fbd979", + "namespace": "gatekeeper-system", + "resourceVersion": "23644", + "uid": "87459391-edb5-473e-8170-e73183b5b2fd" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:16Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafb8db124a8d", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafb8db124a8d/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:16Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafb8db124a8d\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:16Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"23634\", \"uid\": \"4a6ecb3c-d3b6-45f1-99b7-37337c10e294\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:16Z\", \"message\": \"Stopping container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:16Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:16Z\"}], \"name\": \"not-privileged-pod3.17deafb8db124a8d\", \"namespace\": \"default\", \"uid\": \"6d56db53-2f01-4709-a85b-7c2227d37ebf\"}, \"reason\": \"Killing\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"bbcc6e7b-eae0-4ac6-a1a8-498b16b018ba\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafb8db124a8d", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:16Z", + "name": "not-privileged-pod3.17deafb8db124a8d.17deafb8db7221a0", + "namespace": "gatekeeper-system", + "resourceVersion": "26167", + "uid": "98049040-4fb3-4013-a18e-2ecbecb36946" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:47Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc0132bafc2", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc0132bafc2/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:47Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc0132bafc2\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:47Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26217\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:47Z\", \"message\": \"Successfully assigned default/not-privileged-pod3 to dortest-rep-control-plane\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:47Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:source\": {\"f:component\": {}}, \"f:type\": {}}, \"manager\": \"kube-scheduler\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:47Z\"}], \"name\": \"not-privileged-pod3.17deafc0132bafc2\", \"namespace\": \"default\", \"uid\": \"a70af4c8-7e3a-400c-9b86-beb4e9e53d1f\"}, \"reason\": \"Scheduled\", \"reportingComponent\": \"default-scheduler\", \"reportingInstance\": \"\", \"source\": {\"component\": \"default-scheduler\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"211a3af5-1474-4cbe-929a-b9ddf88c6a39\", \"userInfo\": {\"groups\": [\"system:authenticated\"], \"username\": \"system:kube-scheduler\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:kube-scheduler", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc0132bafc2", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:47Z", + "name": "not-privileged-pod3.17deafc0132bafc2.17deafc01358084b", + "namespace": "gatekeeper-system", + "resourceVersion": "26221", + "uid": "26f66f63-8608-49cc-a93d-555d0f63cdb3" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:47Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc02beb4387", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc02beb4387/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:47Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc02beb4387\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:47Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26219\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:47Z\", \"message\": \"Pulling image \\\"busybox\\\"\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:47Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:47Z\"}], \"name\": \"not-privileged-pod3.17deafc02beb4387\", \"namespace\": \"default\", \"uid\": \"aefeebbf-ffa0-460e-95fc-84568465bdb9\"}, \"reason\": \"Pulling\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"782b8847-2de0-400b-87ea-3e3c6d175e3e\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc02beb4387", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:47Z", + "name": "not-privileged-pod3.17deafc02beb4387.17deafc02c165663", + "namespace": "gatekeeper-system", + "resourceVersion": "26223", + "uid": "4922e3f2-1bda-4563-8ed5-a24740220f94" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:48Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc07742a36b", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc07742a36b/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:48Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc07742a36b\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:48Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26219\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:48Z\", \"message\": \"Successfully pulled image \\\"busybox\\\" in 1.263s (1.263s including waiting). Image size: 2160406 bytes.\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:48Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:48Z\"}], \"name\": \"not-privileged-pod3.17deafc07742a36b\", \"namespace\": \"default\", \"uid\": \"c1a89fa9-dc60-43e9-822e-dadea4ea642f\"}, \"reason\": \"Pulled\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"6a6cbbb0-849c-4ffc-9151-92d136c2867c\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc07742a36b", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:48Z", + "name": "not-privileged-pod3.17deafc07742a36b.17deafc0776dda9f", + "namespace": "gatekeeper-system", + "resourceVersion": "26225", + "uid": "7ac79cc6-a441-4a23-8ae1-f114beabb7d7" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:48Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc079d8c1c2", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc079d8c1c2/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:48Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc079d8c1c2\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:48Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26219\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:48Z\", \"message\": \"Created container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:48Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:48Z\"}], \"name\": \"not-privileged-pod3.17deafc079d8c1c2\", \"namespace\": \"default\", \"uid\": \"27557439-4b86-46a1-9f55-7cc2f8d35a8b\"}, \"reason\": \"Created\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"9a4890b0-20c7-49c0-a84f-8aeb799de071\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc079d8c1c2", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:48Z", + "name": "not-privileged-pod3.17deafc079d8c1c2.17deafc07a0df82f", + "namespace": "gatekeeper-system", + "resourceVersion": "26226", + "uid": "bd1cbf9e-cc68-4286-b8fe-2dbe40670582" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:15:48Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc07db81a98", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc07db81a98/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:15:48Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc07db81a98\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:15:48Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26219\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:15:48Z\", \"message\": \"Started container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:15:48Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:15:48Z\"}], \"name\": \"not-privileged-pod3.17deafc07db81a98\", \"namespace\": \"default\", \"uid\": \"1f7d254e-6c6f-41f6-ae29-48daf786a1c8\"}, \"reason\": \"Started\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"114b953b-3128-4328-a443-dab6631e53d7\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc07db81a98", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:15:48Z", + "name": "not-privileged-pod3.17deafc07db81a98.17deafc07de20a18", + "namespace": "gatekeeper-system", + "resourceVersion": "26227", + "uid": "1ae96e15-a90e-4a86-9cda-b09e09a50fba" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + }, + { + "apiVersion": "v1", + "count": 1, + "eventTime": null, + "firstTimestamp": "2024-07-03T11:16:06Z", + "involvedObject": { + "kind": "Event", + "name": "not-privileged-pod3.17deafc4a739471c", + "namespace": "gatekeeper-system", + "uid": "Event/default/not-privileged-pod3.17deafc4a739471c/DenyGatekeeperEvents/deny-gatekeeper-webhook-events/" + }, + "kind": "Event", + "lastTimestamp": "2024-07-03T11:16:06Z", + "message": "Admission webhook \"validation.gatekeeper.sh\" denied request, Resource Namespace: default, Constraint: deny-gatekeeper-webhook-events, Message: Denied event created by gatekeeper-webhook: {\"dryRun\": false, \"kind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"name\": \"not-privileged-pod3.17deafc4a739471c\", \"namespace\": \"default\", \"object\": {\"apiVersion\": \"v1\", \"count\": 1, \"eventTime\": null, \"firstTimestamp\": \"2024-07-03T11:16:06Z\", \"involvedObject\": {\"apiVersion\": \"v1\", \"fieldPath\": \"spec.containers{privileged-container}\", \"kind\": \"Pod\", \"name\": \"not-privileged-pod3\", \"namespace\": \"default\", \"resourceVersion\": \"26219\", \"uid\": \"634b9963-2a4d-48d6-bbee-d9cfecb7f791\"}, \"kind\": \"Event\", \"lastTimestamp\": \"2024-07-03T11:16:06Z\", \"message\": \"Stopping container privileged-container\", \"metadata\": {\"creationTimestamp\": \"2024-07-03T11:16:06Z\", \"managedFields\": [{\"apiVersion\": \"v1\", \"fieldsType\": \"FieldsV1\", \"fieldsV1\": {\"f:count\": {}, \"f:firstTimestamp\": {}, \"f:involvedObject\": {}, \"f:lastTimestamp\": {}, \"f:message\": {}, \"f:reason\": {}, \"f:reportingComponent\": {}, \"f:reportingInstance\": {}, \"f:source\": {\"f:component\": {}, \"f:host\": {}}, \"f:type\": {}}, \"manager\": \"kubelet\", \"operation\": \"Update\", \"time\": \"2024-07-03T11:16:06Z\"}], \"name\": \"not-privileged-pod3.17deafc4a739471c\", \"namespace\": \"default\", \"uid\": \"988439e3-ed6f-4872-addb-c1660c389a14\"}, \"reason\": \"Killing\", \"reportingComponent\": \"kubelet\", \"reportingInstance\": \"dortest-rep-control-plane\", \"source\": {\"component\": \"kubelet\", \"host\": \"dortest-rep-control-plane\"}, \"type\": \"Normal\"}, \"oldObject\": null, \"operation\": \"CREATE\", \"options\": {\"apiVersion\": \"meta.k8s.io/v1\", \"kind\": \"CreateOptions\"}, \"requestKind\": {\"group\": \"\", \"kind\": \"Event\", \"version\": \"v1\"}, \"requestResource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"resource\": {\"group\": \"\", \"resource\": \"events\", \"version\": \"v1\"}, \"uid\": \"ae966713-61b2-4b33-82ca-bfacce1b1350\", \"userInfo\": {\"groups\": [\"system:nodes\", \"system:authenticated\"], \"username\": \"system:node:dortest-rep-control-plane\"}}", + "metadata": { + "annotations": { + "constraint_action": "deny", + "constraint_api_version": "v1beta1", + "constraint_group": "constraints.gatekeeper.sh", + "constraint_kind": "DenyGatekeeperEvents", + "constraint_name": "deny-gatekeeper-webhook-events", + "event_type": "violation", + "process": "admission", + "request_username": "system:node:dortest-rep-control-plane", + "resource_api_version": "v1", + "resource_group": "", + "resource_kind": "Event", + "resource_name": "not-privileged-pod3.17deafc4a739471c", + "resource_namespace": "default" + }, + "creationTimestamp": "2024-07-03T11:16:06Z", + "name": "not-privileged-pod3.17deafc4a739471c.17deafc4a76a693b", + "namespace": "gatekeeper-system", + "resourceVersion": "26252", + "uid": "40c1ef03-6e59-4505-b803-2cccd7097254" + }, + "reason": "FailedAdmission", + "reportingComponent": "gatekeeper-webhook", + "reportingInstance": "", + "source": { + "component": "gatekeeper-webhook" + }, + "type": "Warning" + } + ], + "kind": "List", + "metadata": { + "resourceVersion": "" + } +} diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index b669f94aabc..3cc6070b9e7 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -78,7 +78,8 @@ spec: - --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_METRICS_PORT - --logtostderr - --log-denies={{ .Values.logDenies }} - - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --emit-allow-admission-events={{ .Values.emitAllowAdmissionEvents }} + - --emit-deny-admission-events={{ .Values.emitDenyAdmissionEvents }} - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} - --exempt-namespace={{ .Release.Namespace }} diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 0a69ba9e758..2e5c6890243 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -163,10 +163,11 @@ information._ | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | -| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAllowAdmissionEvents | Emit K8s events in configurable namespace for allowed admission requests (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | -| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | +| emitDenyAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index ac84eabf1b4..168bd57b1b3 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -38,8 +38,9 @@ auditChunkSize: 500 logLevel: INFO logDenies: false logMutations: false -emitAdmissionEvents: false +emitAllowAdmissionEvents: false emitAuditEvents: false +emitDenyAdmissionEvents: false admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 0a69ba9e758..2e5c6890243 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -163,10 +163,11 @@ information._ | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | -| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAllowAdmissionEvents | Emit K8s events in configurable namespace for allowed admission requests (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | -| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | +| emitDenyAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` | +| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | | logDenies | Log detailed info on each deny | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index df9807a6d96..772a693ca10 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -57,7 +57,8 @@ spec: - --prometheus-port={{ .Values.controllerManager.metricsPort }} - --logtostderr - --log-denies={{ .Values.logDenies }} - - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --emit-allow-admission-events={{ .Values.emitAllowAdmissionEvents }} + - --emit-deny-admission-events={{ .Values.emitDenyAdmissionEvents }} - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} - --exempt-namespace={{ .Release.Namespace }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index ac84eabf1b4..168bd57b1b3 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -38,8 +38,9 @@ auditChunkSize: 500 logLevel: INFO logDenies: false logMutations: false -emitAdmissionEvents: false +emitAllowAdmissionEvents: false emitAuditEvents: false +emitDenyAdmissionEvents: false admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index 193c5ccc13d..3d38cc19728 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -50,7 +50,8 @@ var ( deserializer = codecs.UniversalDeserializer() disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint") logDenies = flag.Bool("log-denies", false, "log detailed info on each deny") - emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events for each admission violation") + emitAllowAdmissionEvents = flag.Bool("emit-allow-admission-events", false, "(alpha) emit Kubernetes events for each allowed admission request") + emitDenyAdmissionEvents = flag.Bool("emit-deny-admission-events", false, "(alpha) emit Kubernetes events for each admission violation") admissionEventsInvolvedNamespace = flag.Bool("admission-events-involved-namespace", false, "emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will still follow the default behavior") logStatsAdmission = flag.Bool("log-stats-admission", false, "(alpha) log stats for admission webhook") serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index e6c36d46ac1..fd6d6da1a25 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -242,10 +242,12 @@ func (h *validationHandler) Handle(ctx context.Context, req admission.Request) a func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *admission.Request) ([]string, []string) { var denyMsgs, warnMsgs []string + var eventMsg, reason string var resourceName string obj := &unstructured.Unstructured{} - if len(res) > 0 && (*logDenies || *emitAdmissionEvents) { + if len(res) > 0 && (*logDenies || *emitDenyAdmissionEvents) || + len(res) == 0 && *emitAllowAdmissionEvents { resourceName = req.AdmissionRequest.Name if req.AdmissionRequest.Object.Raw != nil { if _, _, err := deserializer.Decode(req.AdmissionRequest.Object.Raw, nil, obj); err == nil { @@ -257,6 +259,28 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm } } } + if len(res) == 0 && *emitAllowAdmissionEvents { + annotations := map[string]string{ + logging.Process: "admission", + logging.EventType: "passed", + logging.ResourceGroup: req.AdmissionRequest.Kind.Group, + logging.ResourceAPIVersion: req.AdmissionRequest.Kind.Version, + logging.ResourceKind: req.AdmissionRequest.Kind.Kind, + logging.ResourceNamespace: req.AdmissionRequest.Namespace, + logging.ResourceName: resourceName, + logging.RequestUsername: req.AdmissionRequest.UserInfo.Username, + } + eventMsg = "Admission webhook \"validation.gatekeeper.sh\" allowed request" + reason = "AllowedAdmission" + + ref := getAdmissionRef(nil, h.gkNamespace, req.AdmissionRequest.Kind.Kind, resourceName, obj.GetNamespace(), obj.GetResourceVersion(), obj.GetUID(), *admissionEventsInvolvedNamespace) + + if *admissionEventsInvolvedNamespace { + h.eventRecorder.AnnotatedEventf(ref, annotations, corev1.EventTypeNormal, reason, "%s", eventMsg) + } else { + h.eventRecorder.AnnotatedEventf(ref, annotations, corev1.EventTypeNormal, reason, "%s, Resource Namespace: %s", eventMsg, req.AdmissionRequest.Namespace) + } + } for _, r := range res { if err := util.ValidateEnforcementAction(util.EnforcementAction(r.EnforcementAction)); err != nil { continue @@ -280,7 +304,7 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm ).Info( fmt.Sprintf("denied admission: %s", r.Msg)) } - if *emitAdmissionEvents { + if *emitDenyAdmissionEvents { annotations := map[string]string{ logging.Process: "admission", logging.EventType: "violation", @@ -296,7 +320,6 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm logging.ResourceName: resourceName, logging.RequestUsername: req.AdmissionRequest.UserInfo.Username, } - var eventMsg, reason string switch r.EnforcementAction { case string(util.Dryrun): eventMsg = "Dryrun violation" @@ -309,7 +332,7 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm reason = "FailedAdmission" } - ref := getViolationRef(h.gkNamespace, req.AdmissionRequest.Kind.Kind, resourceName, obj.GetNamespace(), obj.GetResourceVersion(), obj.GetUID(), r.Constraint.GetKind(), r.Constraint.GetName(), r.Constraint.GetNamespace(), *admissionEventsInvolvedNamespace) + ref := getAdmissionRef(r.Constraint, h.gkNamespace, req.AdmissionRequest.Kind.Kind, resourceName, obj.GetNamespace(), obj.GetResourceVersion(), obj.GetUID(), *admissionEventsInvolvedNamespace) if *admissionEventsInvolvedNamespace { h.eventRecorder.AnnotatedEventf(ref, annotations, corev1.EventTypeWarning, reason, "%s, Constraint: %s, Message: %s", eventMsg, r.Constraint.GetName(), r.Msg) @@ -653,7 +676,7 @@ func createReviewForResultant(obj *unstructured.Unstructured, ns *corev1.Namespa } } -func getViolationRef(gkNamespace, rkind, rname, rnamespace, rrv string, ruid types.UID, ckind, cname, cnamespace string, emitInvolvedNamespace bool) *corev1.ObjectReference { +func getAdmissionRef(constraint *unstructured.Unstructured, gkNamespace, rkind, rname, rnamespace, rrv string, ruid types.UID, emitInvolvedNamespace bool) *corev1.ObjectReference { enamespace := gkNamespace if emitInvolvedNamespace && len(rnamespace) > 0 { enamespace = rnamespace @@ -667,7 +690,11 @@ func getViolationRef(gkNamespace, rkind, rname, rnamespace, rrv string, ruid typ ref.UID = ruid ref.ResourceVersion = rrv } else if !emitInvolvedNamespace { - ref.UID = types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + ckind + "/" + cnamespace + "/" + cname) + if constraint != nil { + ref.UID = types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + constraint.GetKind() + "/" + constraint.GetName() + "/" + constraint.GetNamespace()) + } else { + ref.UID = types.UID(rkind + "/" + rnamespace + "/" + rname) + } } return ref } diff --git a/test/bats/test.bats b/test/bats/test.bats index 5e67e773e23..631bfe11698 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -153,6 +153,8 @@ teardown_file() { kubectl apply -f ${BATS_TESTS_DIR}/templates/k8srequiredlabels_template.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_cm_must_have_gatekeeper_audit.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/constraints/all_ns_must_have_gatekeeper_events.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8srequiredlabels ns-must-have-gk-events" } @test "no ignore label unless namespace is exempt test" { @@ -262,6 +264,10 @@ __required_labels_audit_test() { @test "emit events test" { # list events for easy debugging kubectl get events -n gatekeeper-test-playground + + events=$(kubectl get events -n gatekeeper-test-playground --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.process=="admission" )' | jq -s '. | length') + [[ "$events" -ge 1 ]] + events=$(kubectl get events -n gatekeeper-test-playground --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') [[ "$events" -ge 1 ]] @@ -270,6 +276,8 @@ __required_labels_audit_test() { events=$(kubectl get events -n gatekeeper-test-playground --field-selector reason=AuditViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') [[ "$events" -ge 1 ]] + + kubectl delete --ignore-not-found -f ${BATS_TESTS_DIR}/good/good_ns.yaml } __namespace_exclusion_test() { diff --git a/test/bats/tests/constraints/all_ns_must_have_gatekeeper_events.yaml b/test/bats/tests/constraints/all_ns_must_have_gatekeeper_events.yaml new file mode 100644 index 00000000000..439caa1ad3c --- /dev/null +++ b/test/bats/tests/constraints/all_ns_must_have_gatekeeper_events.yaml @@ -0,0 +1,16 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: ns-must-have-gk-events + labels: + gatekeeper.sh/tests: "yes" +spec: + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + labelSelector: + matchLabels: + test.gatekeeper.sh/events: "yes" + parameters: + labels: ["gatekeeper"] diff --git a/test/bats/tests/good/good_ns.yaml b/test/bats/tests/good/good_ns.yaml index a08eb5c5270..b1b157e2209 100644 --- a/test/bats/tests/good/good_ns.yaml +++ b/test/bats/tests/good/good_ns.yaml @@ -4,3 +4,5 @@ metadata: name: gatekeeper-test-ns2 labels: owner: me.agilebank.demo + gatekeeper: "true" + gatekeeper.sh/events: "yes" \ No newline at end of file diff --git a/website/docs/customize-startup.md b/website/docs/customize-startup.md index abf2b93b459..e5f7e979e3e 100644 --- a/website/docs/customize-startup.md +++ b/website/docs/customize-startup.md @@ -23,22 +23,25 @@ The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](htt ## [Alpha] Emit admission and audit events -The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events. This flag is in alpha stage and it is set to `false` by default. +The `--emit-allow-admission-events` flag enables the emission of all allowed admission requests as Kubernetes events. This flag is in alpha stage and it is set to `false` by default. The `--emit-audit-events` flag enables the emission of all audit violation as Kubernetes events. This flag is in alpha stage and it is set to `false` by default. +The `--emit-deny-admission-events` flag enables the emission of all admission violations as Kubernetes events. This flag is in alpha stage and it is set to `false` by default. + The `--admission-events-involved-namespace` flag controls which namespace admission events will be created in. When set to `true`, admission events will be created in the namespace of the object violating the constraint. If the object has no namespace (ie. cluster scoped resources), they will be created in the namespace Gatekeeper is installed in. Setting to `false` will cause all admission events to be created in the Gatekeeper namespace. The `--audit-events-involved-namespace` flag controls which namespace audit events will be created in. When set to `true`, audit events will be created in the namespace of the object violating the constraint. If the object has no namespace (ie. cluster scoped resources), they will be created in the namespace Gatekeeper is installed in. Setting to `false` will cause all audit events to be created in the Gatekeeper namespace. -There are four types of events that are emitted by Gatekeeper when the emit event flags are enabled: +There are five types of events that are emitted by Gatekeeper when the emit event flags are enabled: -| Event | Description | -| ------------------ | ----------------------------------------------------------------------- | -| `FailedAdmission` | The Gatekeeper webhook denied the admission request (default behavior). | -| `WarningAdmission` | When `enforcementAction: warn` is specified in the constraint. | -| `DryrunViolation` | When `enforcementAction: dryrun` is specified in the constraint. | -| `AuditViolation` | A violation is detected during an audit. | +| Flag | Event | Description | +| ------------------------- | ------------------ | ------------------------------------------------------------------------------- | +| emit-allow-admission-events | `AllowedAdmission` | The Gatekeeper webhook allowed the admission of the request (default behavior). | +| emit-deny-admission-events | `FailedAdmission` | The Gatekeeper webhook denied the admission request (default behavior). | +| emit-deny-admission-events | `WarningAdmission` | When `enforcementAction: warn` is specified in the constraint. | +| emit-deny-admission-events | `DryrunViolation` | When `enforcementAction: dryrun` is specified in the constraint. | +| emit-audit-events | `AuditViolation` | A violation is detected during an audit. | > ❗ Warning: if the same constraint and violating resource tuple was emitted for [more than 10 times in a 10-minute rolling interval](https://github.com/kubernetes/kubernetes/blob/v1.23.3/staging/src/k8s.io/client-go/tools/record/events_cache.go#L429-L438), the Kubernetes event recorder will aggregate the events, e.g. > ```