Skip to content

Commit

Permalink
feat: vap generation
Browse files Browse the repository at this point in the history
Signed-off-by: Rita Zhang <[email protected]>
  • Loading branch information
ritazh committed Feb 22, 2024
1 parent a4ffcde commit d6c5a28
Show file tree
Hide file tree
Showing 88 changed files with 1,430 additions and 326 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/workflow.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
with:
# version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
version: v1.54.2
version: v1.55.2

test:
name: "Unit test"
Expand Down Expand Up @@ -178,7 +178,7 @@ jobs:
IMG=gatekeeper-e2e:latest \
USE_LOCAL_IMG=true
make test-e2e
make test-e2e KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} ENABLE_VAP_TESTS=1
- name: Save logs
if: ${{ always() }}
Expand Down Expand Up @@ -219,6 +219,7 @@ jobs:
make e2e-bootstrap
- name: Run e2e
# TODO(ritazh): add helm chart values for vap feature before alpha release
run: |
make docker-buildx \
IMG=gatekeeper-e2e:latest \
Expand Down Expand Up @@ -288,7 +289,7 @@ jobs:
make e2e-bootstrap
- name: Run e2e
run: |
run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release
make docker-buildx \
IMG=gatekeeper-e2e:latest
Expand Down
14 changes: 11 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ KUSTOMIZE_VERSION ?= 3.8.9
BATS_VERSION ?= 1.8.2
ORAS_VERSION ?= 0.16.0
BATS_TESTS_FILE ?= test/bats/test.bats
KIND_CLUSTER_FILE ?= test/bats/tests/kindcluster.yml
HELM_VERSION ?= 3.7.2
NODE_VERSION ?= 16-bullseye-slim
YQ_VERSION ?= 4.30.6
Expand All @@ -32,7 +33,7 @@ GATEKEEPER_NAMESPACE ?= gatekeeper-system

# When updating this, make sure to update the corresponding action in
# workflow.yaml
GOLANGCI_LINT_VERSION := v1.51.2
GOLANGCI_LINT_VERSION := v1.55.2

# Detects the location of the user golangci-lint cache.
GOLANGCI_LINT_CACHE := $(shell pwd)/.tmp/golangci-lint
Expand Down Expand Up @@ -70,6 +71,8 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --disable-opa-builtin=http.send\
\n - --log-mutations\
\n - --mutation-annotations\
\n - --vap-enforcement=GATEKEEPER_DEFAULT\
\n - --experimental-enable-k8s-native-validation\
\n---\
\napiVersion: apps/v1\
\nkind: Deployment\
Expand All @@ -89,7 +92,10 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --operation=status\
\n - --operation=mutation-status\
\n - --audit-chunk-size=500\
\n - --logtostderr"
\n - --logtostderr\
\n - --vap-enforcement=GATEKEEPER_DEFAULT\
\n - --experimental-enable-k8s-native-validation\
\n"

# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
Expand Down Expand Up @@ -160,8 +166,10 @@ KIND_NODE_VERSION := kindest/node:v$(KUBERNETES_VERSION)
e2e-bootstrap: e2e-dependencies
# Check for existing kind cluster
if [ $$(${GITHUB_WORKSPACE}/bin/kind get clusters) ]; then ${GITHUB_WORKSPACE}/bin/kind delete cluster; fi

# Create a new kind cluster
TERM=dumb ${GITHUB_WORKSPACE}/bin/kind create cluster --image $(KIND_NODE_VERSION) --wait 5m
# TODO(ritazh): remove KIND_CLUSTER_FILE when vap feature is GA
if [ $$(echo $(KUBERNETES_VERSION) | cut -d'.' -f2) -lt 28 ]; then ${GITHUB_WORKSPACE}/bin/kind create cluster --image $(KIND_NODE_VERSION) --wait 5m; else ${GITHUB_WORKSPACE}/bin/kind create cluster --config $(KIND_CLUSTER_FILE) --image $(KIND_NODE_VERSION) --wait 5m; fi

e2e-build-load-image: docker-buildx e2e-build-load-externaldata-image
kind load docker-image --name kind ${IMG} ${CRD_IMG}
Expand Down
2 changes: 1 addition & 1 deletion apis/status/v1beta1/constraintpodstatus_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ type ConstraintPodStatusStatus struct {
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
}

// Error represents a single error caught while adding a constraint to OPA.
// Error represents a single error caught while adding a constraint to engine.
type Error struct {
Code string `json:"code"`
Message string `json:"message"`
Expand Down
13 changes: 8 additions & 5 deletions cmd/build/helmify/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@ var kindRegex = regexp.MustCompile(`(?m)^kind:[\s]+([\S]+)[\s]*$`)
// use exactly two spaces to be sure we are capturing metadata.name.
var nameRegex = regexp.MustCompile(`(?m)^ name:[\s]+([\S]+)[\s]*$`)

const DeploymentKind = "Deployment"
const (
DeploymentKind = "Deployment"
end = "{{- end }}"
)

func isRbacKind(str string) bool {
rbacKinds := [4]string{"Role", "ClusterRole", "RoleBinding", "ClusterRoleBinding"}
Expand Down Expand Up @@ -105,12 +108,12 @@ func (ks *kindSet) Write() error {
fileName := fmt.Sprintf("%s-%s.yaml", strings.ToLower(name), strings.ToLower(kind))

if name == "validation.gatekeeper.sh" {
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + "{{- end }}\n"
obj = "{{- if not .Values.disableValidatingWebhook }}\n" + obj + end + "\n"
fileName = fmt.Sprintf("gatekeeper-validating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

if name == "mutation.gatekeeper.sh" {
obj = "{{- if not .Values.disableMutation }}\n" + obj + "{{- end }}\n"
obj = "{{- if not .Values.disableMutation }}\n" + obj + end + "\n"
fileName = fmt.Sprintf("gatekeeper-mutating-webhook-configuration-%s.yaml", strings.ToLower(kind))
}

Expand All @@ -121,7 +124,7 @@ func (ks *kindSet) Write() error {
}

if name == "gatekeeper-critical-pods" && kind == "ResourceQuota" {
obj = "{{- if .Values.resourceQuota }}\n" + obj + "{{- end }}\n"
obj = "{{- if .Values.resourceQuota }}\n" + obj + end + "\n"
}

if name == "gatekeeper-controller-manager" && kind == DeploymentKind {
Expand All @@ -143,7 +146,7 @@ func (ks *kindSet) Write() error {
}

if isRbacKind(kind) {
obj = "{{- if .Values.rbac.create }}\n" + obj + "{{- end }}\n"
obj = "{{- if .Values.rbac.create }}\n" + obj + end + "\n"
}

if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
errors:
items:
description: Error represents a single error caught while adding
a constraint to OPA.
a constraint to engine.
properties:
code:
type: string
Expand Down
13 changes: 13 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
labels:
"gatekeeper.sh/use-vap": "yes"
spec:
crd:
spec:
Expand Down Expand Up @@ -29,7 +31,7 @@ spec:
- engine: K8sNativeValidation
source:
validations:
- expression: "variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels)"
- expression: '[object, oldObject].exists(obj, obj != null && has(obj.metadata) && variables.params.labels.all(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels))'
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
- expression: "!variables.params.labels.exists(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && !string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex)))"
- expression: '[object, oldObject].exists(obj, obj != null && !variables.params.labels.exists(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels && !string(obj.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
message: "regex mismatch"
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
labels:
"gatekeeper.sh/use-vap": "yes"
spec:
match:
kinds:
Expand Down
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ require (
github.com/golang/protobuf v1.5.3
github.com/google/go-cmp v0.6.0
github.com/google/uuid v1.5.0
github.com/onsi/gomega v1.30.0
github.com/onsi/gomega v1.31.1
github.com/open-policy-agent/cert-controller v0.10.1
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240219192228-76869f816908
github.com/pkg/errors v0.9.1
github.com/prometheus/client_golang v1.18.0
github.com/spf13/cobra v1.8.0
Expand All @@ -30,7 +30,7 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.19.0
go.uber.org/automaxprocs v1.5.3
go.uber.org/zap v1.26.0
golang.org/x/net v0.20.0
golang.org/x/net v0.21.0
golang.org/x/oauth2 v0.16.0
golang.org/x/sync v0.6.0
golang.org/x/time v0.5.0
Expand Down Expand Up @@ -138,10 +138,10 @@ require (
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/sys v0.17.0 // indirect
golang.org/x/term v0.17.0 // indirect
golang.org/x/text v0.14.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/api v0.160.0 // indirect
Expand Down
28 changes: 14 additions & 14 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -286,14 +286,14 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY=
github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw=
github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
github.com/open-policy-agent/cert-controller v0.10.1 h1:RXSYoyn8FdCenWecRP//UV5nbVfmstNpj4kHQFkvPK4=
github.com/open-policy-agent/cert-controller v0.10.1/go.mod h1:4uRbBLY5DsPOog+a9pqk3JLxuuhrWsbUedQW65HcLTI=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06 h1:scXMWxph905CdmX5HkFJXipCtG+wT1ynxw31G9qSrMk=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240110234408-18fa1fc7dc06/go.mod h1:Gl2I/z5dxvTOwa/ANYGGOkUqE4M0CbQpln0Ia/7KVro=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240219192228-76869f816908 h1:VwTOJNE/PuNXjxsgG85d/lVrwYSFYQFDt95KEzGNS0M=
github.com/open-policy-agent/frameworks/constraint v0.0.0-20240219192228-76869f816908/go.mod h1:MoEB2MwxsQL+xUDG6WdIpJ6gU+gEQuiBre67F3C+p3I=
github.com/open-policy-agent/opa v0.60.0 h1:ZPoPt4yeNs5UXCpd/P/btpSyR8CR0wfhVoh9BOwgJNs=
github.com/open-policy-agent/opa v0.60.0/go.mod h1:aD5IK6AiLNYBjNXn7E02++yC8l4Z+bRDvgM6Ss0bBzA=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
Expand Down Expand Up @@ -426,8 +426,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
Expand Down Expand Up @@ -455,8 +455,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
Expand Down Expand Up @@ -486,12 +486,12 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
Expand Down
2 changes: 2 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
"github.com/open-policy-agent/gatekeeper/v3/pkg/cachemanager"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraint"
"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
"github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata"
"github.com/open-policy-agent/gatekeeper/v3/pkg/metrics"
Expand Down Expand Up @@ -132,6 +133,7 @@ func init() {

// +kubebuilder:scaffold:scheme
flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.")
flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.")
}

func main() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ spec:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
description: Error represents a single error caught while adding a constraint to engine.
properties:
code:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
15 changes: 14 additions & 1 deletion manifest_staging/deploy/gatekeeper.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1829,7 +1829,7 @@ spec:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
description: Error represents a single error caught while adding a constraint to engine.
properties:
code:
type: string
Expand Down Expand Up @@ -3496,6 +3496,19 @@ rules:
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingadmissionpolicies
- validatingadmissionpolicybindings
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
Expand Down
5 changes: 5 additions & 0 deletions pkg/controller/config/config_controller_suite_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ func TestMain(m *testing.M) {
},
ErrorIfCRDPathMissing: true,
}
///TODO(ritazh): remove when vap is GAed in k/k
args := t.ControlPlane.GetAPIServer().Configure()
args.Append("runtime-config", "api/all=true")
args.Append("feature-gates", "ValidatingAdmissionPolicy=true")

if err := apis.AddToScheme(scheme.Scheme); err != nil {
stdlog.Fatal(err)
}
Expand Down
16 changes: 16 additions & 0 deletions pkg/controller/constraint/constants.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
package constraint

const (
// VapGenerationLabel indicates opting in and out preference for generating VAP objects.
VapGenerationLabel = "gatekeeper.sh/use-vap"
// VapFlagNone: do not generate.
VapFlagNone = "NONE"
// VapFlagGatekeeperDefault: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly.
VapFlagGatekeeperDefault = "GATEKEEPER_DEFAULT"
// VapFlagVapDefault: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.
VapFlagVapDefault = "VAP_DEFAULT"
// no value.
No = "no"
// yes value.
Yes = "yes"
)
Loading

0 comments on commit d6c5a28

Please sign in to comment.