From 47b8f44e18f87d5b58a2c342cbca0e928c5730ee Mon Sep 17 00:00:00 2001 From: Craig Trought Date: Tue, 25 Oct 2022 20:30:55 -0400 Subject: [PATCH] fix: emit events in involved object namespace Signed-off-by: Craig Trought --- cmd/build/helmify/static/README.md | 4 ++-- pkg/audit/manager.go | 8 ++++---- pkg/controller/config/config_controller.go | 1 + pkg/webhook/common.go | 2 +- pkg/webhook/policy.go | 5 ++--- website/docs/customize-startup.md | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 26b03b12a5c..30172d0957f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -141,8 +141,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | | mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | | mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` | +| emitAdmissionEvents | Emit K8s events in the involved namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in the involved namespace for audit violations (alpha feature) | `false` | | logDenies | Log detailed info on each deny | `false` | | logLevel | Minimum log level | `INFO` | | image.pullPolicy | The image pull policy | `IfNotPresent` | diff --git a/pkg/audit/manager.go b/pkg/audit/manager.go index 3062c067870..f3bd7cea8d0 100644 --- a/pkg/audit/manager.go +++ b/pkg/audit/manager.go @@ -57,7 +57,7 @@ var ( constraintViolationsLimit = flag.Uint("constraint-violations-limit", defaultConstraintViolationsLimit, "limit of number of violations per constraint. defaulted to 20 violations if unspecified") auditChunkSize = flag.Uint64("audit-chunk-size", defaultListLimit, "(alpha) Kubernetes API chunking List results when retrieving cluster resources using discovery client. defaulted to 500 if unspecified") auditFromCache = flag.Bool("audit-from-cache", false, "pull resources from OPA cache when auditing") - emitAuditEvents = flag.Bool("emit-audit-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace with detailed info for each violation from an audit") + emitAuditEvents = flag.Bool("emit-audit-events", false, "(alpha) emit Kubernetes events in the involved namespace with detailed info for each violation from an audit") auditMatchKindOnly = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)") apiCacheDir = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit") emptyAuditResults []updateListEntry @@ -1053,17 +1053,17 @@ func emitEvent(constraint *unstructured.Unstructured, logging.ResourceName: rname, } reason := "AuditViolation" - ref := getViolationRef(gkNamespace, resourceGroupVersionKind.Kind, rname, rnamespace, constraint.GetKind(), constraint.GetName(), constraint.GetNamespace()) + ref := getViolationRef(resourceGroupVersionKind.Kind, rname, rnamespace, constraint.GetKind(), constraint.GetName(), constraint.GetNamespace()) eventRecorder.AnnotatedEventf(ref, annotations, corev1.EventTypeWarning, reason, "Timestamp: %s, Resource Namespace: %s, Constraint: %s, Message: %s", timestamp, rnamespace, constraint.GetName(), message) } -func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference { +func getViolationRef(rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference { return &corev1.ObjectReference{ Kind: rkind, Name: rname, UID: types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + ckind + "/" + cnamespace + "/" + cname), - Namespace: gkNamespace, + Namespace: rnamespace, } } diff --git a/pkg/controller/config/config_controller.go b/pkg/controller/config/config_controller.go index 81baf0c6876..b896a93dcb0 100644 --- a/pkg/controller/config/config_controller.go +++ b/pkg/controller/config/config_controller.go @@ -193,6 +193,7 @@ type ReconcileConfig struct { // +kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,resourceNames=gatekeeper-admin,verbs=use // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=config.gatekeeper.sh,resources=configs/status,verbs=get;update;patch +// +kubebuilder:rbac:groups="",resources=events,verbs=create;patch; // Reconcile reads that state of the cluster for a Config object and makes changes based on the state read // and what is in the Config.Spec diff --git a/pkg/webhook/common.go b/pkg/webhook/common.go index dc4d88c3652..2a3a4d6bae9 100644 --- a/pkg/webhook/common.go +++ b/pkg/webhook/common.go @@ -56,7 +56,7 @@ var ( deserializer = codecs.UniversalDeserializer() disableEnforcementActionValidation = flag.Bool("disable-enforcementaction-validation", false, "disable validation of the enforcementAction field of a constraint") logDenies = flag.Bool("log-denies", false, "log detailed info on each deny") - emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in gatekeeper namespace for each admission violation") + emitAdmissionEvents = flag.Bool("emit-admission-events", false, "(alpha) emit Kubernetes events in the involved namespace for each admission violation") tlsMinVersion = flag.String("tls-min-version", "1.3", "minimum version of TLS supported") serviceaccount = fmt.Sprintf("system:serviceaccount:%s:%s", util.GetNamespace(), serviceAccountName) // webhookName is deprecated, set this on the manifest YAML if needed". diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index 898c7e94061..43de822dae8 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -299,7 +299,6 @@ func (h *validationHandler) getValidationMessages(res []*rtypes.Result, req *adm reason = "FailedAdmission" } ref := getViolationRef( - h.gkNamespace, req.AdmissionRequest.Kind.Kind, resourceName, req.AdmissionRequest.Namespace, @@ -613,12 +612,12 @@ func createReviewForResultant(obj *unstructured.Unstructured, ns *corev1.Namespa } } -func getViolationRef(gkNamespace, rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference { +func getViolationRef(rkind, rname, rnamespace, ckind, cname, cnamespace string) *corev1.ObjectReference { return &corev1.ObjectReference{ Kind: rkind, Name: rname, UID: types.UID(rkind + "/" + rnamespace + "/" + rname + "/" + ckind + "/" + cnamespace + "/" + cname), - Namespace: gkNamespace, + Namespace: rnamespace, } } diff --git a/website/docs/customize-startup.md b/website/docs/customize-startup.md index 9fe4fad10b9..67c84d9d532 100644 --- a/website/docs/customize-startup.md +++ b/website/docs/customize-startup.md @@ -23,9 +23,9 @@ The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](htt ## [Alpha] Emit admission and audit events -The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default. +The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the involved objects namespace. This flag is in alpha stage and it is set to `false` by default. -The `--emit-audit-events` flag enables the emission of all audit violation as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default. +The `--emit-audit-events` flag enables the emission of all audit violation as Kubernetes events in the involved objects namespace. This flag is in alpha stage and it is set to `false` by default. There are three types of events that are emitted by Gatekeeper when the above flags are enabled: