Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/docker/test/image/golang-45b4337
Browse files Browse the repository at this point in the history
  • Loading branch information
sozercan authored Sep 13, 2024
2 parents 3507247 + b8025ce commit 35e18f8
Show file tree
Hide file tree
Showing 19 changed files with 175 additions and 166 deletions.
33 changes: 33 additions & 0 deletions .github/workflows/helm-lint.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: check-helm-lint
on:
push:
paths:
- "cmd/build/helmify/static/**"
- "manifest_staging/**"
pull_request:
paths:
- "cmd/build/helmify/static/**"
- "manifest_staging/**"

permissions: read-all

jobs:
helm_lint_test:
name: "Helm lint"
runs-on: ubuntu-22.04
timeout-minutes: 15

steps:
- name: Check out code into the Go module directory
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set up Helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
version: "3.14.1"
id: install

- name: Lint Helm charts
run: |
helm lint manifest_staging/charts/gatekeeper/
helm lint cmd/build/helmify/static/
10 changes: 2 additions & 8 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,10 +1,4 @@
ARG BUILDPLATFORM="linux/amd64"
ARG BUILDERIMAGE="golang:1.22-bookworm"
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"

FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder
FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand All @@ -24,7 +18,7 @@ COPY . .

RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager

FROM $BASEIMAGE
FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65

WORKDIR /
COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
Expand Down
2 changes: 1 addition & 1 deletion build/tooling/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.23-bookworm@sha256:31dc846dd1bcca84d2fa231bcd16c09ff271bcc1a5ae2c48ff10f13b039688f3
FROM golang:1.23-bookworm@sha256:1a5326b07cbab12f4fd7800425f2cf25ff2bd62c404ef41b56cb99669a710a83

RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
RUN GO111MODULE=on go install k8s.io/code-generator/cmd/[email protected]
Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ func (ks *kindSet) Write() error {
}

if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
obj = strings.Replace(obj, "apiVersion: policy/v1", "{{ $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{ $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1)
}

if name == "gatekeeper-manager-role" && kind == "ClusterRole" {
Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/static/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ controllerManager:
extraRules: []
networkPolicy:
enabled: false
ingress: { }
ingress: []
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
Expand Down
2 changes: 1 addition & 1 deletion crd.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.30.3 AS builder
FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.31.1 AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand Down
10 changes: 2 additions & 8 deletions gator.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,10 +1,4 @@
ARG BUILDPLATFORM="linux/amd64"
ARG BUILDERIMAGE="golang:1.22-bookworm"
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot"

FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder
FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand All @@ -23,7 +17,7 @@ WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/cmd/gator

RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o /gator

FROM --platform=$BUILDPLATFORM $BASEIMAGE AS build
FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 AS build
USER 65532:65532
COPY --from=builder --chown=65532:65532 /gator /gator
ENTRYPOINT ["/gator"]
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
{{ $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
{{ $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}}
apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}
kind: PodDisruptionBudget
metadata:
Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ controllerManager:
extraRules: []
networkPolicy:
enabled: false
ingress: { }
ingress: []
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
Expand Down
3 changes: 0 additions & 3 deletions pkg/gator/verify/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -361,9 +361,6 @@ func (r *Runner) validateAndReviewAdmissionReviewRequest(ctx context.Context, c
}

req := &admission.Request{AdmissionRequest: *ar.Request}
if err := util.SetObjectOnDelete(req); err != nil {
return nil, fmt.Errorf("%w: %w", gator.ErrInvalidK8sAdmissionReview, err)
}

arr := target.AugmentedReview{
AdmissionRequest: &req.AdmissionRequest,
Expand Down
4 changes: 3 additions & 1 deletion pkg/gator/verify/runner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,10 @@ import (
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
clienterrors "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors"
"github.com/open-policy-agent/gatekeeper/v3/pkg/gator"
"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/fixtures"
"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/utils/ptr"
)
Expand Down Expand Up @@ -1155,7 +1157,7 @@ func TestRunner_Run(t *testing.T) {
{Name: "invalid admission review object", Error: gator.ErrInvalidK8sAdmissionReview},
{Name: "missing admission request object", Error: gator.ErrMissingK8sAdmissionRequest},
{Name: "no objects to review", Error: gator.ErrNoObjectForReview},
{Name: "no oldObject on delete", Error: gator.ErrInvalidK8sAdmissionReview},
{Name: "no oldObject on delete", Error: &clienterrors.ErrorMap{target.Name: constraintclient.ErrReview}},
},
},
{
Expand Down
28 changes: 28 additions & 0 deletions pkg/target/target.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
)

// nolint: revive // Moved error out of pkg/webhook/admission; needs capitalization for backwards compat.
var ErrOldObjectIsNil = errors.New("oldObject cannot be nil for DELETE operations")

// Name is the name of Gatekeeper's Kubernetes validation target.
const Name = "admission.k8s.gatekeeper.sh"

Expand Down Expand Up @@ -127,6 +130,10 @@ func (h *K8sValidationTarget) handleReview(obj interface{}) (bool, *gkReview, er
return false, nil, nil
}

if err := setObjectOnDelete(review); err != nil {
return false, nil, err
}

return true, review, nil
}

Expand Down Expand Up @@ -249,3 +256,24 @@ func (h *K8sValidationTarget) ToMatcher(u *unstructured.Unstructured) (constrain
func (h *K8sValidationTarget) GetCache() handler.Cache {
return &h.cache
}

// setObjectOnDelete enforces that we use at least K8s API v1.15.0+ on DELETE operations
// and copies over the oldObject into the Object field for the given AdmissionRequest.
func setObjectOnDelete(review *gkReview) error {
if review.AdmissionRequest.Operation == admissionv1.Delete {
// oldObject is the existing object.
// It is null for DELETE operations in API servers prior to v1.15.0.
// https://github.com/kubernetes/website/pull/14671
if review.AdmissionRequest.OldObject.Raw == nil {
return ErrOldObjectIsNil
}

// For admission webhooks registered for DELETE operations on k8s built APIs or CRDs,
// the apiserver now sends the existing object as admissionRequest.Request.OldObject to the webhook
// object is the new object being admitted.
// It is null for DELETE operations.
// https://github.com/kubernetes/kubernetes/pull/76346
review.AdmissionRequest.Object = review.AdmissionRequest.OldObject
}
return nil
}
67 changes: 67 additions & 0 deletions pkg/target/target_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package target
import (
"encoding/json"
"errors"
"reflect"
"sync"
"testing"

Expand Down Expand Up @@ -1149,3 +1150,69 @@ func newNsCache() *nsCache {
cache: make(map[string]*corev1.Namespace),
}
}

func TestHandleReviewForDelete(t *testing.T) {
testCases := []struct {
name string
req interface{}
checkEquality bool
wantErr error
}{
{
name: "request not on delete",
req: admissionv1.AdmissionRequest{
Operation: "CREATE",
Object: runtime.RawExtension{Raw: matchedRawData()},
},
checkEquality: false,
wantErr: nil,
},
{
name: "err on request and nil object",
req: admissionv1.AdmissionRequest{
Operation: "DELETE",
},
wantErr: ErrOldObjectIsNil,
},
{
name: "handle ok oldObject not nil",
req: admissionv1.AdmissionRequest{
Operation: "DELETE",
OldObject: runtime.RawExtension{
Raw: []byte{'a', 'b', 'c'},
},
},
checkEquality: true,
wantErr: nil,
},
}

for _, tc := range testCases {
tc := tc

t.Run(tc.name, func(t *testing.T) {
t.Parallel()
target := &K8sValidationTarget{}

_, review, err := target.HandleReview(tc.req)

if tc.wantErr != nil {
if !errors.Is(tc.wantErr, err) {
t.Fatalf("error did not match what was expected\n want: %v \n got: %v \n", tc.wantErr, err)
}
}

gkr, ok := review.(*gkReview)
if !ok {
t.Fatalf("test %v: HandleReview failed to return gkReview object", tc.name)
}

if tc.checkEquality {
// open box: make sure that the OldObject field has been copied into the Object field
if !reflect.DeepEqual(gkr.AdmissionRequest.OldObject, gkr.AdmissionRequest.Object) {
t.Fatal("oldObject and object need to match")
}
}
})
}
}
33 changes: 0 additions & 33 deletions pkg/util/request_validation.go

This file was deleted.

63 changes: 0 additions & 63 deletions pkg/util/request_validation_test.go

This file was deleted.

Loading

0 comments on commit 35e18f8

Please sign in to comment.