Skip to content

Commit

Permalink
feat: enable vap in helm (#3329)
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
  • Loading branch information
ritazh authored Mar 26, 2024
1 parent 2454be6 commit c3c3c20
Show file tree
Hide file tree
Showing 9 changed files with 21 additions and 4 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/workflow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -245,7 +245,8 @@ jobs:
LOG_LEVEL=DEBUG
make test-e2e \
GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} \
ENABLE_VAP_TESTS=1
- name: Save logs
if: ${{ always() }}
Expand Down Expand Up @@ -289,7 +290,7 @@ jobs:
make e2e-bootstrap
- name: Run e2e
run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release
run: |
make docker-buildx \
IMG=gatekeeper-e2e:latest
Expand Down
6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,8 @@ else
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set enableK8sNativeValidation=true \
--set vapEnforcement=GATEKEEPER_DEFAULT \
--set mutationAnnotations=true
endif

Expand Down Expand Up @@ -288,6 +290,8 @@ e2e-helm-upgrade:
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set enableK8sNativeValidation=true \
--set vapEnforcement=GATEKEEPER_DEFAULT \
--set mutationAnnotations=true;\

e2e-subscriber-build-load-image:
Expand Down Expand Up @@ -344,7 +348,7 @@ manifests: __controller-gen
output:crd:artifacts:config=config/crd/bases
./build/update-match-schema.sh
rm -rf manifest_staging
mkdir -p manifest_staging/deploy/experimental
mkdir -p manifest_staging/deploy
mkdir -p manifest_staging/charts/gatekeeper
docker run --rm -v $(shell pwd):/gatekeeper \
registry.k8s.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@ spec:
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --vap-enforcement={{ .Values.vapEnforcement }}
- HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION
- HELMSUBST_METRICS_BACKEND_ARG
- HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ information._
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/static/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
externaldataProviderResponseCacheTTL: 3m
enableK8sNativeValidation: false
vapEnforcement: GATEKEEPER_DEFAULT
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
Expand Down
2 changes: 1 addition & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ var (
certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service")
enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir")
disabledBuiltins = util.NewFlagSet()
enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "PROTOTYPE (not stable): enable the validating admission policy driver")
enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver")
externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
)

Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ information._
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to create CEL-based rules (alpha feature) | `false` |
| vapEnforcement | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly. (alpha feature) | `GATEKEEPER_DEFAULT` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,8 @@ spec:
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --vap-enforcement={{ .Values.vapEnforcement }}
{{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }}

{{- range .Values.metricsBackends}}
Expand Down
2 changes: 2 additions & 0 deletions manifest_staging/charts/gatekeeper/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
externaldataProviderResponseCacheTTL: 3m
enableK8sNativeValidation: false
vapEnforcement: GATEKEEPER_DEFAULT
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
Expand Down

0 comments on commit c3c3c20

Please sign in to comment.