Merge branch 'master' into enforcementPointStatus

open-policy-agent · Nov 12, 2024 · ceedd2d · ceedd2d
2 parents 8c27363 + 4c6e2d4
commit ceedd2d
Show file tree

Hide file tree

Showing 11 changed files with 152 additions and 1 deletion.
diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
@@ -62,7 +62,7 @@ jobs:
           tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
           echo "$(pwd)" >> $GITHUB_PATH
         env:
-          TRIVY_VERSION: "0.46.0"
+          TRIVY_VERSION: "0.57.0"
 
       - name: Run trivy on git repository
         run: |

diff --git a/demo/scoped-enforcement-actions/README.md b/demo/scoped-enforcement-actions/README.md
@@ -0,0 +1,13 @@
+> [!WARNING]
+> This is a demo of an alpha feature and is subject to change.
+
+This demo shows:
+
+1. Configuring different validation actions for different enforcement points.
+2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled.
+
+Please refer to <https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy> for pre-requisites and configuration steps.
+
+## Demo
+
+<img width= "900" height="500" src="demo.gif" alt="vap demo">
diff --git a/demo/scoped-enforcement-actions/demo.gif b/demo/scoped-enforcement-actions/demo.gif
diff --git a/demo/scoped-enforcement-actions/demo.sh b/demo/scoped-enforcement-actions/demo.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+. ../../third_party/demo-magic/demo-magic.sh
+
+clear
+
+# cmd
+
+p "Deploy the constraint template"
+
+pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml"
+
+p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added"
+
+pe "cat k8srequiredlabels_template_usevap.yaml"
+
+pe "kubectl apply -f owner_must_be_provided.yaml"
+
+pe "cat owner_must_be_provided.yaml"
+
+p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint"
+
+p "Let's test the policy"
+
+pe "kubectl create ns test"
+
+p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules"
+
+p ""
+
+p "Now let's add the VAP as enforcement point and update the constraint"
+
+pe "kubectl apply -f owner_must_be_provided_usevap.yaml"
+
+pe "cat owner_must_be_provided_usevap.yaml"
+
+p "VAPBinding with validation action warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP"
+
+pe "kubectl get ValidatingAdmissionPolicy"
+
+pe "kubectl get ValidatingAdmissionPolicyBinding"
+
+p "Let's test the policy"
+
+pe "kubectl create ns test"
+
+p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules"
+
+p "THE END"
+
+kubectl delete constrainttemplates --all
diff --git a/demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml b/demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml
@@ -0,0 +1,36 @@
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          type: object
+          properties:
+            message:
+              type: string
+            labels:
+              type: array
+              items:
+                type: object
+                properties:
+                  key:
+                    type: string
+                  allowedRegex:
+                    type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      code:
+        - engine: K8sNativeValidation
+          source:
+            generateVAP: true
+            validations:
+            - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))'
+              messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
+            - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
+              message: "regex mismatch"
diff --git a/demo/scoped-enforcement-actions/owner_must_be_provided.yaml b/demo/scoped-enforcement-actions/owner_must_be_provided.yaml
@@ -0,0 +1,20 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: all-must-have-owner
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - action: deny
+    enforcementPoints:
+    - name: validation.gatekeeper.sh
+    - name: audit.gatekeeper.sh
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
diff --git a/demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml b/demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml
@@ -0,0 +1,23 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: all-must-have-owner
+spec:
+  enforcementAction: scoped
+  scopedEnforcementActions:
+  - action: deny
+    enforcementPoints:
+    - name: validation.gatekeeper.sh
+    - name: audit.gatekeeper.sh
+  - action: warn
+    enforcementPoints:
+    - name: vap.k8s.io
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    message: "All namespaces must have an `owner` label that points to your company username"
+    labels:
+      - key: owner
+        allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
diff --git a/website/docs/enforcement-points.md b/website/docs/enforcement-points.md
@@ -104,3 +104,5 @@ spec:
     - name: "audit.gatekeeper.sh"
 ...
 ```
+
+Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md
@@ -174,3 +174,5 @@ spec:
     - name: "validation.gatekeeper.sh"
 ...
 ```
+
+To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)
diff --git a/website/versioned_docs/version-v3.17.x/enforcement-points.md b/website/versioned_docs/version-v3.17.x/enforcement-points.md
@@ -104,3 +104,5 @@ spec:
     - name: "audit.gatekeeper.sh"
 ...
 ```
+
+Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
diff --git a/website/versioned_docs/version-v3.17.x/validating-admission-policy.md b/website/versioned_docs/version-v3.17.x/validating-admission-policy.md
@@ -171,3 +171,5 @@ spec:
     - name: "validation.gatekeeper.sh"
 ...
 ```
+
+To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)