open-policy-agent · anlandu · Oct 29, 2024 · Sep 19, 2023 · Oct 21, 2023 · Oct 21, 2023
@@ -4,6 +4,7 @@ import (
 	"os"
 
 	"github.com/open-policy-agent/gatekeeper/v3/cmd/gator/expand"
+	"github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync"
 	"github.com/open-policy-agent/gatekeeper/v3/cmd/gator/test"
 	"github.com/open-policy-agent/gatekeeper/v3/cmd/gator/verify"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/version"
@@ -15,6 +16,7 @@ var commands = []*cobra.Command{
 	verify.Cmd,
 	test.Cmd,
 	expand.Cmd,
+	sync.Cmd,
 	k8sVersion.WithFont("alligator2"),
 }
 

@@ -0,0 +1,28 @@
+/*
+Copyright © 2023 NAME HERE <EMAIL ADDRESS>
+*/
+package sync
+
+import (
+	"fmt"
+
+	syncverify "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync/verify"
+	"github.com/spf13/cobra"
+)
+
+var commands = []*cobra.Command{
+	syncverify.Cmd,
+}
+
+// Cmd represents the sync command.
+var Cmd = &cobra.Command{
+	Use:   "sync",
+	Short: "Manage SyncSets and Config",
+	Run: func(cmd *cobra.Command, args []string) {
+		fmt.Println("Usage: gator sync create or gator sync verify")
+	},
+}
+
+func init() {
+	Cmd.AddCommand(commands...)
+}
diff --git a/cmd/gator/sync/verify/verify.go b/cmd/gator/sync/verify/verify.go
@@ -0,0 +1,66 @@
+package verify
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+
+	cmdutils "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/sync/verify"
+	"github.com/spf13/cobra"
+)
+
+// Cmd represents the verify command.
+var Cmd = &cobra.Command{
+	Use:   "verify",
+	Short: "Verify that the provided SyncSet(s) and/or Config contain the GVKs required by the input templates.",
+	Run:   run,
+}
+
+var (
+	flagFilenames        []string
+	flagImages           []string
+	flagDiscoveryResults string
+)
+
+const (
+	flagNameFilename         = "filename"
+	flagNameImage            = "image"
+	flagNameDiscoveryResults = "discovery-results"
+)
+
+func init() {
+	Cmd.Flags().StringArrayVarP(&flagFilenames, flagNameFilename, "f", []string{}, "a file or directory containing Kubernetes resources.  Can be specified multiple times.")
+	Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
+	Cmd.Flags().StringVarP(&flagDiscoveryResults, flagDiscoveryResults, "d", "", "a json string listing the GVKs supported by the cluster as a nested array of groups, containing supported versions, containing supported kinds.")
+}
+
+func run(cmd *cobra.Command, args []string) {
+	unstrucs, err := reader.ReadSources(flagFilenames, flagImages, "")
+	if err != nil {
+		cmdutils.ErrFatalf("reading: %v", err)
+	}
+	if len(unstrucs) == 0 {
+		cmdutils.ErrFatalf("no input data identified")
+	}
+
+	missingRequirements, err := verify.Verify(unstrucs, flagDiscoveryResults)
+	if err != nil {
+		cmdutils.ErrFatalf("verifying: %v", err)
+	}
+
+	if len(missingRequirements) > 0 {
+		cmdutils.ErrFatalf("The following requirements were not met: \n%v", resultsToString(missingRequirements))
+	}
+
+	os.Exit(0)
+}
+
+func resultsToString(results map[string][]int) string {
+	var buf bytes.Buffer
+	for template, reqs := range results {
+		buf.WriteString(fmt.Sprintf("%s: %v\n", template, reqs))
+	}
+	return buf.String()
+}
@@ -9,10 +9,20 @@ var (
 	// ErrNotAConstraint indicates the user-indicated file does not contain a
 	// Constraint.
 	ErrNotAConstraint = errors.New("not a Constraint")
+	// ErrNotAConfig indicates the user-indicated file does not contain a
+	// Config.
+	ErrNotAConfig = errors.New("not a Config")
+	// ErrNotASyncSet indicates the user-indicated file does not contain a
+	// SyncSet.
+	ErrNotASyncSet = errors.New("not a SyncSet")
 	// ErrAddingTemplate indicates a problem instantiating a Suite's ConstraintTemplate.
 	ErrAddingTemplate = errors.New("adding template")
 	// ErrAddingConstraint indicates a problem instantiating a Suite's Constraint.
 	ErrAddingConstraint = errors.New("adding constraint")
+	// ErrAddingSyncSet indicates a problem instantiating a Suite's SyncSet.
+	ErrAddingSyncSet = errors.New("adding syncset")
+	// ErrAddingConfig indicates a problem instantiating a Suite's Config.
+	ErrAddingConfig = errors.New("adding config")
 	// ErrInvalidSuite indicates a Suite does not define the required fields.
 	ErrInvalidSuite = errors.New("invalid Suite")
 	// ErrCreatingClient indicates an error instantiating the Client which compiles

@@ -326,6 +326,16 @@ metadata:
   name: k8suniqueserviceselector
   annotations:
     description: Requires Services to have unique selectors within a namespace.
+    metadata.gatekeeper.sh/requires-sync-data: |
+      "[
+        [
+          {
+            "groups": [""],
+            "versions": ["v1"],
+            "kinds": ["Service"]
+          }
+        ]
+      ]"
 spec:
   crd:
     spec:
@@ -368,6 +378,118 @@ spec:
         }
 `
 
+	TemplateReferentialMultEquivSets = `
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8suniqueingresshost
+  annotations:
+    metadata.gatekeeper.sh/title: "Unique Ingress Host"
+    metadata.gatekeeper.sh/version: 1.0.3
+    metadata.gatekeeper.sh/requires-sync-data: |
+      "[
+        [
+          {
+            "groups": ["extensions"],
+            "versions": ["v1beta1"],
+            "kinds": ["Ingress"]
+          },
+          {
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
+          }
+        ]
+      ]"
+    description: >-
+      Requires all Ingress rule hosts to be unique.
+
+      Does not handle hostname wildcards:
+      https://kubernetes.io/docs/concepts/services-networking/ingress/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sUniqueIngressHost
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8suniqueingresshost
+
+        identical(obj, review) {
+          obj.metadata.namespace == review.object.metadata.namespace
+          obj.metadata.name == review.object.metadata.name
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
+          host := input.review.object.spec.rules[_].host
+          other := data.inventory.namespace[_][otherapiversion]["Ingress"][name]
+          re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
+          other.spec.rules[_].host == host
+          not identical(other, input.review)
+          msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
+        }
+`
+
+	TemplateReferentialMultReqs = `
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8suniqueingresshostmultireq
+  annotations:
+    metadata.gatekeeper.sh/title: "Unique Ingress Host"
+    metadata.gatekeeper.sh/version: 1.0.3
+    metadata.gatekeeper.sh/requires-sync-data: |
+      "[
+        [
+          {
+            "groups": ["extensions"],
+            "versions": ["v1beta1"],
+            "kinds": ["Ingress"]
+          }
+        ],
+        [
+          {
+            "groups": ["networking.k8s.io"],
+            "versions": ["v1beta1", "v1"],
+            "kinds": ["Ingress"]
+          }
+        ]
+      ]"
+    description: >-
+      Requires all Ingress rule hosts to be unique.
+
+      Does not handle hostname wildcards:
+      https://kubernetes.io/docs/concepts/services-networking/ingress/
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sUniqueIngressHost
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8suniqueingresshost
+
+        identical(obj, review) {
+          obj.metadata.namespace == review.object.metadata.namespace
+          obj.metadata.name == review.object.metadata.name
+        }
+
+        violation[{"msg": msg}] {
+          input.review.kind.kind == "Ingress"
+          re_match("^(extensions|networking.k8s.io)$", input.review.kind.group)
+          host := input.review.object.spec.rules[_].host
+          other := data.inventory.namespace[_][otherapiversion]["Ingress"][name]
+          re_match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
+          other.spec.rules[_].host == host
+          not identical(other, input.review)
+          msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
+        }
+`
+
 	ConstraintReferential = `
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sUniqueServiceSelector
@@ -581,5 +703,36 @@ spec:
     kinds:
       - apiGroups: ["*"]
         kinds: ["*"]
+`
+	SyncSet = `
+apiVersion: syncset.gatekeeper.sh/v1alpha1
+kind: SyncSet
+metadata:
+  name: syncset
+  namespace: "gatekeeper-system"
+spec:
+  gvks:
+    - group: "extensions"
+      version: "v1beta1"
+      kind: "Ingress"
+    - group: "apps"
+      version: "v1"
+      kind: "Deployment"
+`
+	Config = `
+apiVersion: config.gatekeeper.sh/v1alpha1
+kind: Config
+metadata:
+  name: config
+  namespace: "gatekeeper-system"
+spec:
+  sync:
+    syncOnly:
+      - group: ""
+        version: "v1"
+        kind: "Service"
+      - group: "apps"
+        version: "v1"
+        kind: "Deployment"
 `
 )