Skip to content

Commit

Permalink
feat: add support for emit k8s events for allowed requests
Browse files Browse the repository at this point in the history
Signed-off-by: DorB-P <[email protected]>
  • Loading branch information
DorB-P committed Jul 3, 2024
1 parent d730132 commit 719574a
Show file tree
Hide file tree
Showing 11 changed files with 80 additions and 31 deletions.
15 changes: 10 additions & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,8 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n args:\
\n - --port=8443\
\n - --logtostderr\
\n - --emit-admission-events\
\n - --emit-allow-admission-events\
\n - --emit-deny-admission-events\
\n - --admission-events-involved-namespace\
\n - --exempt-namespace=${GATEKEEPER_NAMESPACE}\
\n - --operation=webhook\
Expand Down Expand Up @@ -205,8 +206,9 @@ ifeq ($(ENABLE_PUBSUB),true)
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAllowAdmissionEvents=true \
--set emitAuditEvents=true \
--set emitDenyAdmissionEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
Expand All @@ -230,8 +232,9 @@ else
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAllowAdmissionEvents=true \
--set emitAuditEvents=true \
--set emitDenyAdmissionEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
Expand All @@ -247,8 +250,9 @@ e2e-helm-upgrade-init: e2e-helm-install
./.staging/helm/linux-amd64/helm install gatekeeper gatekeeper/gatekeeper --version ${BASE_RELEASE} \
--namespace ${GATEKEEPER_NAMESPACE} --create-namespace \
--debug --wait \
--set emitAdmissionEvents=true \
--set emitAllowAdmissionEvents=true \
--set emitAuditEvents=true \
--set emitDenyAdmissionEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set postInstall.labelNamespace.enabled=true \
Expand All @@ -271,8 +275,9 @@ e2e-helm-upgrade:
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAllowAdmissionEvents=true \
--set emitAuditEvents=true \
--set emitDenyAdmissionEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
Expand Down
3 changes: 2 additions & 1 deletion cmd/build/helmify/kustomize-for-helm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ spec:
- --prometheus-port=HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_METRICS_PORT
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --emit-allow-admission-events={{ .Values.emitAllowAdmissionEvents }}
- --emit-deny-admission-events={{ .Values.emitDenyAdmissionEvents }}
- --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
- --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
Expand Down
7 changes: 4 additions & 3 deletions cmd/build/helmify/static/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,10 +163,11 @@ information._
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAllowAdmissionEvents | Emit K8s events in configurable namespace for allowed admission requests (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| emitDenyAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
3 changes: 2 additions & 1 deletion cmd/build/helmify/static/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ auditChunkSize: 500
logLevel: INFO
logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAllowAdmissionEvents: false
emitAuditEvents: false
emitDenyAdmissionEvents: false
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
Expand Down
7 changes: 4 additions & 3 deletions manifest_staging/charts/gatekeeper/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,10 +163,11 @@ information._
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAllowAdmissionEvents | Emit K8s events in configurable namespace for allowed admission requests (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| emitDenyAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,8 @@ spec:
- --prometheus-port={{ .Values.controllerManager.metricsPort }}
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --emit-allow-admission-events={{ .Values.emitAllowAdmissionEvents }}
- --emit-deny-admission-events={{ .Values.emitDenyAdmissionEvents }}
- --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
- --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
Expand Down
3 changes: 2 additions & 1 deletion manifest_staging/charts/gatekeeper/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ auditChunkSize: 500
logLevel: INFO
logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAllowAdmissionEvents: false
emitAuditEvents: false
emitDenyAdmissionEvents: false
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
Expand Down
Loading

0 comments on commit 719574a

Please sign in to comment.