Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: adding enforcement point status, vapgeneratestatus #3686

Merged
merged 19 commits into from
Nov 21, 2024
Merged

chore: adding enforcement point status, vapgeneratestatus #3686

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
a492dcd
adding enforcement point status, vapgeneratestatus
JaydipGabani Nov 8, 2024
c72db95
removing not needed file
JaydipGabani Nov 8, 2024
8c27363
fixing unit tests
JaydipGabani Nov 9, 2024
ceedd2d
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 12, 2024
d65d3c3
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 13, 2024
8183975
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 13, 2024
0e40ed2
fixing unit test
JaydipGabani Nov 14, 2024
0238c73
adding observegeneration for enforcement point status
JaydipGabani Nov 14, 2024
a4f17a3
renaming code -> state field
JaydipGabani Nov 15, 2024
d67ef29
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 15, 2024
ae48233
adding observed generation and not wiping CT VAPgeneration status
JaydipGabani Nov 16, 2024
8ef8278
updating vap status on delete, fixing tests
JaydipGabani Nov 16, 2024
b25ca53
fixing test
JaydipGabani Nov 18, 2024
a935efd
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 18, 2024
c33b601
remobing delete status for vap EP
JaydipGabani Nov 19, 2024
5dff00d
removing unused constant
JaydipGabani Nov 19, 2024
1afa5ac
updating shouldgeneratevap
JaydipGabani Nov 20, 2024
9727998
Merge branch 'master' into enforcementPointStatus
JaydipGabani Nov 20, 2024
45a53f7
removing deletedVAPState constraint
JaydipGabani Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 13 additions & 5 deletions apis/status/v1beta1/constraintpodstatus_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,12 @@ type ConstraintPodStatusStatus struct {
// Storing the constraint UID allows us to detect drift, such as
// when a constraint has been recreated after its CRD was deleted
// out from under it, interrupting the watch
ConstraintUID types.UID `json:"constraintUID,omitempty"`
Operations []string `json:"operations,omitempty"`
Enforced bool `json:"enforced,omitempty"`
Errors []Error `json:"errors,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
ConstraintUID types.UID `json:"constraintUID,omitempty"`
Operations []string `json:"operations,omitempty"`
Enforced bool `json:"enforced,omitempty"`
Errors []Error `json:"errors,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
EnforcementPointsStatus []EnforcementPointStatus `json:"enforcementPointsStatus,omitempty"`
}

// Error represents a single error caught while adding a constraint to engine.
Expand All @@ -53,6 +54,13 @@ type Error struct {
Location string `json:"location,omitempty"`
}

// EnforcementPointStatus represents the status of a single enforcement point.
type EnforcementPointStatus struct {
EnforcementPoint string `json:"enforcementPoint"`
Enforced bool `json:"enforced"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it was a mistake to have an enforced boolean state with constraints. And with VAP, we cannot make guarantees as to whether they are enforced b/c there is no status reporting, so we cannot know if the VAP object has been ingested or whether there are any errors. Maybe we want something like a string field called Status?

There we can put a string like "GENERATED", "ERROR", etc.

Of course, if we call it "status", we should rename the parent field to avoid stutter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about code - generated/error/...?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"code" seems a bit ambiguous given we are also dealing with "code" in the sense of CEL code.

"state"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like state, updated the name to state.

Message string `json:"message,omitempty"`
}

// +kubebuilder:object:root=true
// +kubebuilder:resource:scope=Namespaced

Expand Down
17 changes: 12 additions & 5 deletions apis/status/v1beta1/constrainttemplatepodstatus_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,18 @@ import (
// ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
type ConstraintTemplatePodStatusStatus struct {
// Important: Run "make" to regenerate code after modifying this file
ID string `json:"id,omitempty"`
TemplateUID types.UID `json:"templateUID,omitempty"`
Operations []string `json:"operations,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"`
ID string `json:"id,omitempty"`
TemplateUID types.UID `json:"templateUID,omitempty"`
Operations []string `json:"operations,omitempty"`
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
Errors []*templatesv1beta1.CreateCRDError `json:"errors,omitempty"`
VAPGenerationStatus VAPGenerationStatus `json:"vapGenerationStatus,omitempty"`
Copy link
Contributor Author

@JaydipGabani JaydipGabani Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can remove this if we do not want status on CT for generation updates. Lmk your thoughts.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to report status for CT objects... they do map directly to a VAP object.

}

// VAPGenerationStatus represents the status of VAP generation.
type VAPGenerationStatus struct {
Generated bool `json:"generated,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment about bool field vs. string field.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to string field.

Warning string `json:"warning,omitempty"`
}

// +kubebuilder:object:root=true
Expand Down
36 changes: 36 additions & 0 deletions apis/status/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 16 additions & 0 deletions config/crd/bases/status.gatekeeper.sh_constraintpodstatuses.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,22 @@ spec:
type: string
enforced:
type: boolean
enforcementPointsStatus:
items:
description: EnforcementPointStatus represents the status of a single
enforcement point.
properties:
enforced:
type: boolean
enforcementPoint:
type: string
message:
type: string
required:
- enforced
- enforcementPoint
type: object
type: array
errors:
items:
description: Error represents a single error caught while adding
Expand Down
8 changes: 8 additions & 0 deletions config/crd/bases/status.gatekeeper.sh_constrainttemplatepodstatuses.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,14 @@ spec:
don't ONLY use UUIDs, this is an alias to string. Being a type captures
intent and helps make sure that UIDs and names do not get conflated.
type: string
vapGenerationStatus:
description: VAPGenerationStatus represents the status of VAP generation.
properties:
generated:
type: boolean
warning:
type: string
type: object
type: object
type: object
served: true
Expand Down
15 changes: 15 additions & 0 deletions manifest_staging/charts/gatekeeper/crds/constraintpodstatus-customresourcedefinition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,21 @@ spec:
type: string
enforced:
type: boolean
enforcementPointsStatus:
items:
description: EnforcementPointStatus represents the status of a single enforcement point.
properties:
enforced:
type: boolean
enforcementPoint:
type: string
message:
type: string
required:
- enforced
- enforcementPoint
type: object
type: array
errors:
items:
description: Error represents a single error caught while adding a constraint to engine.
Expand Down
8 changes: 8 additions & 0 deletions ..._staging/charts/gatekeeper/crds/constrainttemplatepodstatus-customresourcedefinition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,14 @@ spec:
don't ONLY use UUIDs, this is an alias to string. Being a type captures
intent and helps make sure that UIDs and names do not get conflated.
type: string
vapGenerationStatus:
description: VAPGenerationStatus represents the status of VAP generation.
properties:
generated:
type: boolean
warning:
type: string
type: object
type: object
type: object
served: true
Expand Down
23 changes: 23 additions & 0 deletions manifest_staging/deploy/gatekeeper.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2660,6 +2660,21 @@ spec:
type: string
enforced:
type: boolean
enforcementPointsStatus:
items:
description: EnforcementPointStatus represents the status of a single enforcement point.
properties:
enforced:
type: boolean
enforcementPoint:
type: string
message:
type: string
required:
- enforced
- enforcementPoint
type: object
type: array
errors:
items:
description: Error represents a single error caught while adding a constraint to engine.
Expand Down Expand Up @@ -2763,6 +2778,14 @@ spec:
don't ONLY use UUIDs, this is an alias to string. Being a type captures
intent and helps make sure that UIDs and names do not get conflated.
type: string
vapGenerationStatus:
description: VAPGenerationStatus represents the status of VAP generation.
properties:
generated:
type: boolean
warning:
type: string
type: object
type: object
type: object
served: true
Expand Down
Loading
Loading