Skip to content

Commit

Permalink
feat: vap generation
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
  • Loading branch information
ritazh committed Feb 16, 2024
1 parent b758571 commit 90423db
Show file tree
Hide file tree
Showing 102 changed files with 1,673 additions and 446 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/workflow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
# version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
version: v1.54.2
version: v1.55.2

test:
name: "Unit test"
Expand Down Expand Up @@ -178,7 +178,7 @@ jobs:
IMG=gatekeeper-e2e:latest \
USE_LOCAL_IMG=true
make test-e2e
make test-e2e KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} ENABLE_VAP_TESTS=1
- name: Save logs
if: ${{ always() }}
Expand Down Expand Up @@ -219,6 +219,7 @@ jobs:
make e2e-bootstrap
- name: Run e2e
# TODO(ritazh): add helm chart values for vap feature before alpha release
run: |
make docker-buildx \
IMG=gatekeeper-e2e:latest \
Expand Down Expand Up @@ -288,7 +289,7 @@ jobs:
make e2e-bootstrap
- name: Run e2e
run: |
run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release
make docker-buildx \
IMG=gatekeeper-e2e:latest
Expand Down
16 changes: 13 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ KUSTOMIZE_VERSION ?= 3.8.9
BATS_VERSION ?= 1.8.2
ORAS_VERSION ?= 0.16.0
BATS_TESTS_FILE ?= test/bats/test.bats
KIND_CLUSTER_FILE ?= test/bats/tests/kindcluster.yml
HELM_VERSION ?= 3.7.2
NODE_VERSION ?= 16-bullseye-slim
YQ_VERSION ?= 4.30.6
Expand All @@ -32,7 +33,7 @@ GATEKEEPER_NAMESPACE ?= gatekeeper-system

# When updating this, make sure to update the corresponding action in
# workflow.yaml
GOLANGCI_LINT_VERSION := v1.51.2
GOLANGCI_LINT_VERSION := v1.55.2

# Detects the location of the user golangci-lint cache.
GOLANGCI_LINT_CACHE := $(shell pwd)/.tmp/golangci-lint
Expand Down Expand Up @@ -70,6 +71,9 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --disable-opa-builtin=http.send\
\n - --log-mutations\
\n - --mutation-annotations\
\n - --vap-enforcement=GATEKEEPER_DEFAULT\
\n - --validate-template-rego=false\
\n - --experimental-enable-k8s-native-validation\
\n---\
\napiVersion: apps/v1\
\nkind: Deployment\
Expand All @@ -89,7 +93,11 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --operation=status\
\n - --operation=mutation-status\
\n - --audit-chunk-size=500\
\n - --logtostderr"
\n - --logtostderr\
\n - --vap-enforcement=GATEKEEPER_DEFAULT\
\n - --validate-template-rego=false\
\n - --experimental-enable-k8s-native-validation\
\n"

# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
Expand Down Expand Up @@ -160,8 +168,10 @@ KIND_NODE_VERSION := kindest/node:v$(KUBERNETES_VERSION)
e2e-bootstrap: e2e-dependencies
# Check for existing kind cluster
if [ $$(${GITHUB_WORKSPACE}/bin/kind get clusters) ]; then ${GITHUB_WORKSPACE}/bin/kind delete cluster; fi

# Create a new kind cluster
TERM=dumb ${GITHUB_WORKSPACE}/bin/kind create cluster --image $(KIND_NODE_VERSION) --wait 5m
# TODO(ritazh): remove KIND_CLUSTER_FILE when vap feature is GA
if [ $$(echo $(KUBERNETES_VERSION) | cut -d'.' -f2) -lt 28 ]; then ${GITHUB_WORKSPACE}/bin/kind create cluster --image $(KIND_NODE_VERSION) --wait 5m; else ${GITHUB_WORKSPACE}/bin/kind create cluster --config $(KIND_CLUSTER_FILE) --image $(KIND_NODE_VERSION) --wait 5m; fi

e2e-build-load-image: docker-buildx e2e-build-load-externaldata-image
kind load docker-image --name kind ${IMG} ${CRD_IMG}
Expand Down
2 changes: 1 addition & 1 deletion apis/status/v1beta1/constraintpodstatus_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ type ConstraintPodStatusStatus struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

// Error represents a single error caught while adding a constraint to OPA.
// Error represents a single error caught while adding a constraint to engine.
type Error struct {
Code string `json:"code"`
Message string `json:"message"`
Expand Down
13 changes: 8 additions & 5 deletions cmd/build/helmify/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`)
// use exactly two spaces to be sure we are capturing metadata.name.
var nameRegex = regexp.MustCompile(`(?m)^ name:[\s]+([\S]+)[\s]*$`)

const DeploymentKind = "Deployment"
const (
DeploymentKind = "Deployment"
end = "{{- end }}"
)

func isRbacKind(str string) bool {
rbacKinds := [4]string{"Role", "ClusterRole", "RoleBinding", "ClusterRoleBinding"}
Expand Down Expand Up @@ -105,12 +108,12 @@ func (ks *kindSet) Write() error {
fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind))

if name == "validation.gatekeeper.sh" {
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n"
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + end + "\n"
fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

if name == "mutation.gatekeeper.sh" {
obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n"
obj = "{{- if not .Values.disableMutation }}\n" + obj + end + "\n"
fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

Expand All @@ -121,7 +124,7 @@ func (ks *kindSet) Write() error {
}

if name == "gatekeeper-critical-pods" && kind == "ResourceQuota" {
obj = "{{- if .Values.resourceQuota }}\n" + obj + "{{- end }}\n"
obj = "{{- if .Values.resourceQuota }}\n" + obj + end + "\n"
}

if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
Expand All @@ -145,7 +148,7 @@ func (ks *kindSet) Write() error {
}

if isRbacKind(kind) {
obj = "{{- if .Values.rbac.create }}\n" + obj + "{{- end }}\n"
obj = "{{- if .Values.rbac.create }}\n" + obj + end + "\n"
}

if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
errors:
items:
description: Error represents a single error caught while adding
a constraint to OPA.
a constraint to engine.
properties:
code:
type: string
Expand Down
13 changes: 13 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
labels:
"gatekeeper.sh/use-vap": "yes"
spec:
crd:
spec:
Expand Down Expand Up @@ -29,7 +31,7 @@ spec:
- engine: K8sNativeValidation
source:
validations:
- expression: "variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels)"
- expression: '[object, oldObject].exists(obj, obj != null && has(obj.metadata) && variables.params.labels.all(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels))'
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
- expression: "!variables.params.labels.exists(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && !string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex)))"
- expression: '[object, oldObject].exists(obj, obj != null && !variables.params.labels.exists(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels && !string(obj.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
message: "regex mismatch"
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
labels:
"gatekeeper.sh/use-vap": "yes"
spec:
match:
kinds:
Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ require (
github.com/golang/protobuf v1.5.3
github.com/google/go-cmp v0.6.0
github.com/google/uuid v1.5.0
github.com/onsi/gomega v1.27.10
github.com/onsi/gomega v1.31.1
github.com/open-policy-agent/cert-controller v0.8.0
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240212182527-37bcf5fc60a4
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.16.0
github.com/spf13/cobra v1.8.0
Expand All @@ -33,7 +33,7 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.19.0
go.uber.org/automaxprocs v1.5.3
go.uber.org/zap v1.24.0
golang.org/x/net v0.19.0
golang.org/x/net v0.21.0
golang.org/x/oauth2 v0.13.0
golang.org/x/sync v0.5.0
golang.org/x/time v0.5.0
Expand Down Expand Up @@ -143,10 +143,10 @@ require (
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.17.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.15.0 // indirect
golang.org/x/sys v0.17.0 // indirect
golang.org/x/term v0.17.0 // indirect
golang.org/x/text v0.14.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
google.golang.org/api v0.149.0 // indirect
Expand Down
26 changes: 13 additions & 13 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -257,13 +257,13 @@ github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7P
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
github.com/open-policy-agent/cert-controller v0.8.0 h1:pao3WCLsKGz5dSWSlNUFrNFQdXtVTQ3lVDgk2IelH34=
github.com/open-policy-agent/cert-controller v0.8.0/go.mod h1:alotCQRwX4M6VEwEgO53FB6nGLSlvah6L0pWxSRslIk=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06 h1:scXMWxph905CdmX5HkFJXipCtG+wT1ynxw31G9qSrMk=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06/go.mod h1:Gl2I/z5dxvTOwa/ANYGGOkUqE4M0CbQpln0Ia/7KVro=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240212182527-37bcf5fc60a4 h1:P0YvMEnfCME/gKr/3IzDuHwJhQFoMFZTP0v8QQq08lU=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240212182527-37bcf5fc60a4/go.mod h1:MoEB2MwxsQL+xUDG6WdIpJ6gU+gEQuiBre67F3C+p3I=
github.com/open-policy-agent/opa v0.60.0 h1:ZPoPt4yeNs5UXCpd/P/btpSyR8CR0wfhVoh9BOwgJNs=
github.com/open-policy-agent/opa v0.60.0/go.mod h1:aD5IK6AiLNYBjNXn7E02++yC8l4Z+bRDvgM6Ss0bBzA=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
Expand Down Expand Up @@ -385,8 +385,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
Expand Down Expand Up @@ -414,8 +414,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
Expand Down Expand Up @@ -446,12 +446,12 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
Expand Down
2 changes: 2 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
"github.com/open-policy-agent/gatekeeper/v3/pkg/cachemanager"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraint"
"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
"github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata"
"github.com/open-policy-agent/gatekeeper/v3/pkg/metrics"
Expand Down Expand Up @@ -131,6 +132,7 @@ func init() {

// +kubebuilder:scaffold:scheme
flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.")
flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE:do not generate, GATEKEEPER_DEFAULT:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.")
}

func main() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ spec:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
description: Error represents a single error caught while adding a constraint to engine.
properties:
code:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
15 changes: 14 additions & 1 deletion manifest_staging/deploy/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1829,7 +1829,7 @@ spec:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
description: Error represents a single error caught while adding a constraint to engine.
properties:
code:
type: string
Expand Down Expand Up @@ -3496,6 +3496,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
5 changes: 5 additions & 0 deletions pkg/controller/config/config_controller_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,17 @@ import (
var cfg *rest.Config

func TestMain(m *testing.M) {
apiserverFlags := []string{
"--runtime-config=api/all=true",
"--feature-gates=ValidatingAdmissionPolicy=true",
}
t := &envtest.Environment{
CRDDirectoryPaths: []string{
filepath.Join("..", "..", "..", "vendor", "github.com", "open-policy-agent", "frameworks", "constraint", "deploy", "crds.yaml"),
filepath.Join("..", "..", "..", "config", "crd", "bases"),
},
ErrorIfCRDPathMissing: true,
KubeAPIServerFlags: apiserverFlags,
}
if err := apis.AddToScheme(scheme.Scheme); err != nil {
stdlog.Fatal(err)
Expand Down
12 changes: 12 additions & 0 deletions pkg/controller/constraint/constants.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
package constraint

const (
// VapGenerationLabel indicates opting in and out preference for generating VAP objects.
VapGenerationLabel = "gatekeeper.sh/use-vap"
// VapFlagNone:do not generate.
VapFlagNone = "NONE"
// VapFlagGatekeeperDefault:do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly.
VapFlagGatekeeperDefault = "GATEKEEPER_DEFAULT"
// VapFlagVapDefault: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.
VapFlagVapDefault = "VAP_DEFAULT"
)
Loading

0 comments on commit 90423db

Please sign in to comment.