Skip to content

Commit

Permalink
feat: optional flags to emit events in involved object namespace
Browse files Browse the repository at this point in the history
Signed-off-by: Craig Trought <[email protected]>
  • Loading branch information
ctrought committed Jan 22, 2023
1 parent ac8612d commit 92d70a0
Show file tree
Hide file tree
Showing 17 changed files with 138 additions and 75 deletions.
8 changes: 8 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --port=8443\
\n - --logtostderr\
\n - --emit-admission-events\
\n - --admission-events-involved-namespace\
\n - --exempt-namespace=${GATEKEEPER_NAMESPACE}\
\n - --operation=webhook\
\n - --operation=mutation-webhook\
Expand All @@ -87,6 +88,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n name: manager\
\n args:\
\n - --emit-audit-events\
\n - --audit-events-involved-namespace\
\n - --operation=audit\
\n - --operation=status\
\n - --operation=mutation-status\
Expand Down Expand Up @@ -190,6 +192,8 @@ e2e-helm-deploy: e2e-helm-install
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set mutationAnnotations=true;\
Expand All @@ -201,6 +205,8 @@ e2e-helm-upgrade-init: e2e-helm-install
--debug --wait \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set disabledBuiltins={http.send} \
Expand All @@ -222,6 +228,8 @@ e2e-helm-upgrade:
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set mutationAnnotations=true;\
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ spec:
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
- --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
- --operation=webhook
Expand Down Expand Up @@ -156,6 +157,7 @@ spec:
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
- HELMSUBST_MUTATION_STATUS_ENABLED_ARG
Expand Down
6 changes: 4 additions & 2 deletions cmd/build/helmify/static/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,8 +143,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAuditEvents: false
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
postUpgrade:
labelNamespace:
Expand Down
7 changes: 7 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,13 @@ metadata:
creationTimestamp: null
name: manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- '*'
resources:
Expand Down
6 changes: 4 additions & 2 deletions manifest_staging/charts/gatekeeper/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,8 +143,10 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| emitAdmissionEvents | Emit K8s events in gatekeeper namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in gatekeeper namespace for audit violations (alpha feature) | `false` |
| emitAdmissionEvents | Emit K8s events in the involved namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in the involved namespace for audit violations (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ spec:
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ spec:
- --logtostderr
- --log-denies={{ .Values.logDenies }}
- --emit-admission-events={{ .Values.emitAdmissionEvents }}
- --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }}
- --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }}
- --exempt-namespace={{ .Release.Namespace }}
- --operation=webhook
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,13 @@ metadata:
release: '{{ .Release.Name }}'
name: gatekeeper-manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- '*'
resources:
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAuditEvents: false
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
postUpgrade:
labelNamespace:
Expand Down
7 changes: 7 additions & 0 deletions manifest_staging/deploy/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2930,6 +2930,13 @@ metadata:
gatekeeper.sh/system: "yes"
name: gatekeeper-manager-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- '*'
resources:
Expand Down
Loading

0 comments on commit 92d70a0

Please sign in to comment.