/
opa_constraints.go
105 lines (95 loc) · 2.57 KB
/
opa_constraints.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// Copyright 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Copyright 2019 Google LLC. This software is provided as-is,
// without warranty or representation for any use or purpose.
//
package controllers
import (
"context"
"fmt"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/runtime/schema"
)
// reconcileOPAContraints reconciles OPA Contraint resources
// which are enforced by Gatekeeper.
func (r *AppEnvConfigTemplateV2Reconciler) reconcileOPAContraints(
ctx context.Context,
namespaces []string,
) error {
gvr := opaConstraintGVR()
for _, ct := range []*unstructured.Unstructured{
opaDeploymentLabelConstraint(namespaces),
} {
// TODO: What to do about owner?
if err := r.upsertUnstructured(ctx, ct, gvr, false); err != nil {
return fmt.Errorf("reconciling: %v", err)
}
}
return nil
}
func opaDeploymentLabelConstraint(namespaces []string) *unstructured.Unstructured {
u := &unstructured.Unstructured{
Object: map[string]interface{}{
"metadata": map[string]interface{}{
"name": "deployments-must-have-correct-labels",
},
"spec": map[string]interface{}{
"match": map[string]interface{}{
"kinds": []map[string]interface{}{
{
"apiGroups": []string{
"extensions",
"apps",
},
"kinds": []string{
"Deployment",
},
},
{
"apiGroups": []string{""},
"kinds": []string{
"Pod",
},
},
},
"namespaces": namespaces,
},
"parameters": map[string]interface{}{
"labels": []string{
"app",
"version",
},
},
},
},
}
u.SetGroupVersionKind(opaConstraintGVK())
return u
}
func opaConstraintGVK() schema.GroupVersionKind {
return schema.GroupVersionKind{
Group: "constraints.gatekeeper.sh",
Version: "v1alpha1",
Kind: "AppConfigRequiredLabels",
}
}
func opaConstraintGVR() schema.GroupVersionResource {
gvk := opaConstraintGVK()
return schema.GroupVersionResource{
Group: gvk.Group,
Version: gvk.Version,
Resource: "appconfigrequiredlabels",
}
}