diff --git a/constraint/deploy/crds.yaml b/constraint/deploy/crds.yaml index 83551848f..61e8feef0 100644 --- a/constraint/deploy/crds.yaml +++ b/constraint/deploy/crds.yaml @@ -17,7 +17,8 @@ spec: - name: v1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: description: |- @@ -75,7 +76,8 @@ spec: items: properties: engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' type: string source: description: The source code for the template. Required. @@ -110,7 +112,8 @@ spec: properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -124,7 +127,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -143,7 +147,8 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: description: |- @@ -201,7 +206,8 @@ spec: items: properties: engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' type: string source: description: The source code for the template. Required. @@ -236,7 +242,8 @@ spec: properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -250,7 +257,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -269,7 +277,8 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API + description: ConstraintTemplate is the Schema for the constrainttemplates + API properties: apiVersion: description: |- @@ -327,7 +336,8 @@ spec: items: properties: engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' + description: 'The engine used to evaluate the code. Example: + "Rego". Required.' type: string source: description: The source code for the template. Required. @@ -362,7 +372,8 @@ spec: properties: errors: items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. + description: CreateCRDError represents a single error caught + during parsing, compiling, etc. properties: code: type: string @@ -376,7 +387,8 @@ spec: type: object type: array id: - description: a unique identifier for the pod that wrote the status + description: a unique identifier for the pod that wrote the + status type: string observedGeneration: format: int64 @@ -409,7 +421,8 @@ spec: scope: Cluster versions: - deprecated: true - deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 + instead. name: v1alpha1 schema: openAPIV3Schema: @@ -444,7 +457,8 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with https://. + description: URL is the url for the provider. URL is prefixed with + https://. type: string type: object type: object @@ -484,7 +498,8 @@ spec: description: Timeout is the timeout when querying the provider. type: integer url: - description: URL is the url for the provider. URL is prefixed with https://. + description: URL is the url for the provider. URL is prefixed with + https://. type: string type: object type: object diff --git a/constraint/go.mod b/constraint/go.mod index cccbd246f..9119f39ba 100644 --- a/constraint/go.mod +++ b/constraint/go.mod @@ -1,6 +1,8 @@ module github.com/open-policy-agent/frameworks/constraint -go 1.18 +go 1.21 + +toolchain go1.22.2 require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc @@ -80,8 +82,9 @@ require ( go.opentelemetry.io/otel/trace v1.21.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect + golang.org/x/mod v0.17.0 // indirect golang.org/x/oauth2 v0.17.0 // indirect - golang.org/x/sync v0.6.0 // indirect + golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.20.0 // indirect golang.org/x/term v0.20.0 // indirect golang.org/x/text v0.15.0 // indirect diff --git a/constraint/go.sum b/constraint/go.sum index a166a44d9..1ee1e21fd 100644 --- a/constraint/go.sum +++ b/constraint/go.sum @@ -13,13 +13,17 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4= +github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -27,19 +31,25 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= @@ -51,6 +61,7 @@ github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ4 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -59,6 +70,7 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/ github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -66,14 +78,17 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4= github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/cel-go v0.17.7 h1:6ebJFzu1xO2n7TLtN+UBqShGBhlD85bhvglh5DpcfqQ= github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= @@ -84,11 +99,13 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= @@ -102,8 +119,10 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM= +github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -111,6 +130,7 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -119,6 +139,7 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g= +github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/open-policy-agent/opa v0.64.1 h1:n8IJTYlFWzqiOYx+JiawbErVxiqAyXohovcZxYbskxQ= @@ -139,6 +160,7 @@ github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3c github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= @@ -158,6 +180,7 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= @@ -170,9 +193,13 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/etcd/api/v3 v3.5.10 h1:szRajuUUbLyppkhs9K6BRtjY37l66XQQmw7oZRANE4k= +go.etcd.io/etcd/api/v3 v3.5.10/go.mod h1:TidfmT4Uycad3NM/o25fG3J07odo4GBB9hoxaodFCtI= go.etcd.io/etcd/client/pkg/v3 v3.5.10 h1:kfYIdQftBnbAq8pUWFXfpuuxFSKzlmM5cSn76JByiT0= +go.etcd.io/etcd/client/pkg/v3 v3.5.10/go.mod h1:DYivfIviIuQ8+/lCq4vcxuseg2P2XbHygkKwFo9fc8U= go.etcd.io/etcd/client/v3 v3.5.10 h1:W9TXNZ+oB3MCd/8UjxHTWK5J9Nquw9fQBLJd5ne5/Ao= +go.etcd.io/etcd/client/v3 v3.5.10/go.mod h1:RVeBnDz2PUEZqTpgqwAtUd8nAPf5kjyFyND7P1VkOKc= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0 h1:PzIubN4/sjByhDRHLviCjJuweBXWFZWhghjg7cS28+M= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.0/go.mod h1:Ct6zzQEuGK3WpJs2n4dn+wfJYzd/+hNnxMRTWjGn30M= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= @@ -192,8 +219,11 @@ go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+ go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= +go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -203,7 +233,8 @@ golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqR golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -218,8 +249,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= +golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -248,14 +279,17 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= +golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= +gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY= +google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo= google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de h1:jFNzHPIeuzhdRwVhbZdiym9q0ory/xY3sA+v2wPg8I0= google.golang.org/genproto/googleapis/api v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:5iCWqnniDlqZHrd3neWVTOwvh/v6s3232omMecelax8= google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de h1:cZGRis4/ot9uVm639a+rHCUaG0JJHEsdyzSQTMX+suY= diff --git a/constraint/pkg/apis/externaldata/unversioned/zz_generated.deepcopy.go b/constraint/pkg/apis/externaldata/unversioned/zz_generated.deepcopy.go index f85252d71..6276727ab 100644 --- a/constraint/pkg/apis/externaldata/unversioned/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/externaldata/unversioned/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/apis/externaldata/v1alpha1/zz_generated.deepcopy.go b/constraint/pkg/apis/externaldata/v1alpha1/zz_generated.deepcopy.go index b1eb19a64..e21de9381 100644 --- a/constraint/pkg/apis/externaldata/v1alpha1/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/externaldata/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/apis/externaldata/v1beta1/zz_generated.deepcopy.go b/constraint/pkg/apis/externaldata/v1beta1/zz_generated.deepcopy.go index 13c57de01..917a08cb5 100644 --- a/constraint/pkg/apis/externaldata/v1beta1/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/externaldata/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go b/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go index 797b58ef4..289f558ac 100644 --- a/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/templates/v1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go b/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go index 6720c01f7..60eefb2ee 100644 --- a/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go b/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go index 27a564e25..9204bcad7 100644 --- a/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go +++ b/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/client/drivers/k8scel/args.go b/constraint/pkg/client/drivers/k8scel/args.go index 9774c0a66..c63efe852 100644 --- a/constraint/pkg/client/drivers/k8scel/args.go +++ b/constraint/pkg/client/drivers/k8scel/args.go @@ -1,13 +1,5 @@ package k8scel -type vapDefault string - -const ( - VAPGenerationLabel = "gatekeeper.sh/use-vap" - VAPDefaultYes = vapDefault("yes") - VAPDefaultNo = vapDefault("no") -) - type Arg func(*Driver) error // GatherStats starts collecting various stats around the @@ -19,18 +11,3 @@ func GatherStats() Arg { return nil } } - -// VAPGenerationDefault sets the expected default -// value of the `gatekeeper.sh/use-vap` label. -// If no value is provided, VAP generation -// is presumed to be disabled and the engine will -// validate ALL policies. Otherwise, the engine -// will only validate policies not expected to be -// enforced via VAP. -func VAPGenerationDefault(d vapDefault) Arg { - return func(driver *Driver) error { - driver.generateVAPDefault = &d - - return nil - } -} diff --git a/constraint/pkg/client/drivers/k8scel/driver.go b/constraint/pkg/client/drivers/k8scel/driver.go old mode 100644 new mode 100755 index 8957ab034..847903e18 --- a/constraint/pkg/client/drivers/k8scel/driver.go +++ b/constraint/pkg/client/drivers/k8scel/driver.go @@ -17,9 +17,7 @@ import ( "github.com/open-policy-agent/frameworks/constraint/pkg/types" "github.com/open-policy-agent/opa/storage" admissionv1 "k8s.io/api/admission/v1" - apimeta "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime" "k8s.io/apiserver/pkg/admission/plugin/cel" "k8s.io/apiserver/pkg/admission/plugin/validatingadmissionpolicy" "k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions" @@ -52,15 +50,13 @@ const ( var _ drivers.Driver = &Driver{} type Driver struct { - mux sync.RWMutex - validators map[string]*validatorWrapper - generateVAPDefault *vapDefault - gatherStats bool + mux sync.RWMutex + validators map[string]*validatorWrapper + gatherStats bool } type validatorWrapper struct { - assumeVAPEnforcement bool - validator validatingadmissionpolicy.Validator + validator validatingadmissionpolicy.Validator } func (d *Driver) Name() string { @@ -122,13 +118,10 @@ func (d *Driver) AddTemplate(_ context.Context, ct *templates.ConstraintTemplate failurePolicy, ) - assumeVAPEnforcement := d.assumeVAPEnforcement(ct) - d.mux.Lock() defer d.mux.Unlock() d.validators[ct.GetName()] = &validatorWrapper{ - validator: validator, - assumeVAPEnforcement: assumeVAPEnforcement, + validator: validator, } return nil } @@ -167,12 +160,6 @@ func (d *Driver) Query(ctx context.Context, target string, constraints []*unstru var statsEntries []*instrumentation.StatsEntry - isAdmission := false - isAdmissionGetter, ok := review.(IsAdmissionGetter) - if ok { - isAdmission = isAdmissionGetter.IsAdmissionRequest() - } - arGetter, ok := review.(ARGetter) if !ok { return nil, errors.New("cannot convert review to ARGetter") @@ -193,14 +180,6 @@ func (d *Driver) Query(ctx context.Context, target string, constraints []*unstru return nil, fmt.Errorf("unknown constraint template validator: %s", constraint.GetKind()) } - assumeVAPEnforcementNotDisabled := assumeVAPEnforcementWithDefault(constraint, VAPDefaultYes) - - // if we assume VAP enforcement for a given constraint/template combo, Gatekeeper - // should not be evaluating that constraint/template in an admission context. - if isAdmission && assumeVAPEnforcementNotDisabled && wrappedValidator.assumeVAPEnforcement { - continue - } - validator := wrappedValidator.validator // this should never happen, but best not to panic if the pointer is ever nil. @@ -263,38 +242,6 @@ func (d *Driver) GetDescriptionForStat(statName string) (string, error) { } } -func (d *Driver) assumeVAPEnforcement(obj runtime.Object) bool { - if d.generateVAPDefault == nil { - return false - } - - return assumeVAPEnforcementWithDefault(obj, *d.generateVAPDefault) -} - -func assumeVAPEnforcementWithDefault(obj runtime.Object, vapDef vapDefault) bool { - meta, err := apimeta.Accessor(obj) - if err != nil { - return false - } - labels := meta.GetLabels() - if labels == nil { - labels = map[string]string{} - } - shouldGen, ok := labels[VAPGenerationLabel] - if !ok { - shouldGen = string(vapDef) - } - switch vapDefault(shouldGen) { - case VAPDefaultYes: - return true - case VAPDefaultNo: - return false - // on unrecognized value, use the default - default: - return vapDef == VAPDefaultYes - } -} - type ARGetter interface { GetAdmissionRequest() *admissionv1.AdmissionRequest } diff --git a/constraint/pkg/client/drivers/k8scel/driver_test.go b/constraint/pkg/client/drivers/k8scel/driver_test.go old mode 100644 new mode 100755 index d16a1f302..abc8e9c0f --- a/constraint/pkg/client/drivers/k8scel/driver_test.go +++ b/constraint/pkg/client/drivers/k8scel/driver_test.go @@ -12,11 +12,10 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" k8sschema "k8s.io/apimachinery/pkg/runtime/schema" - "k8s.io/utils/ptr" "sigs.k8s.io/yaml" ) -func makeTemplateWithSource(source *schema.Source, vapGenerationVal *string) *templates.ConstraintTemplate { +func makeTemplateWithSource(source *schema.Source) *templates.ConstraintTemplate { template := &templates.ConstraintTemplate{ ObjectMeta: metav1.ObjectMeta{ Name: "testkind", @@ -37,26 +36,10 @@ func makeTemplateWithSource(source *schema.Source, vapGenerationVal *string) *te }, }, } - if vapGenerationVal != nil { - template.SetLabels(map[string]string{ - VAPGenerationLabel: *vapGenerationVal, - }) - } return template } -func makeTemplate(vapGenerationVal *string) *templates.ConstraintTemplate { - return makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: "1 == 1", - Message: "Always true", - }, - }, - }, vapGenerationVal) -} - -func makeConstraint(vapGenerationVal *string) *unstructured.Unstructured { +func makeConstraint() *unstructured.Unstructured { constraint := &unstructured.Unstructured{ Object: map[string]interface{}{}, } @@ -64,11 +47,6 @@ func makeConstraint(vapGenerationVal *string) *unstructured.Unstructured { if err := unstructured.SetNestedField(constraint.Object, "someValue", "spec", "parameters", "testParam"); err != nil { panic(err) } - if vapGenerationVal != nil { - constraint.SetLabels(map[string]string{ - VAPGenerationLabel: *vapGenerationVal, - }) - } return constraint } @@ -90,7 +68,7 @@ func (rw *requestWrapper) IsAdmissionRequest() bool { return rw.isAdmission } -func fakeRequest(isAdmission bool) *requestWrapper { +func fakeRequest() *requestWrapper { objStr := ` apiVersion: v1 kind: Pod @@ -104,7 +82,6 @@ metadata: } return &requestWrapper{ - isAdmission: isAdmission, request: &admissionv1.AdmissionRequest{ Object: runtime.RawExtension{Raw: objJSON}, }, @@ -116,8 +93,6 @@ func TestValidation(t *testing.T) { name string template *templates.ConstraintTemplate constraint *unstructured.Unstructured - vapDefault *vapDefault - isAdmissionRequest bool expectedViolations bool expectedErr bool }{ @@ -130,8 +105,8 @@ func TestValidation(t *testing.T) { Message: "unexpected name", }, }, - }, nil), - constraint: makeConstraint(nil), + }), + constraint: makeConstraint(), expectedViolations: false, }, { @@ -143,8 +118,8 @@ func TestValidation(t *testing.T) { Message: "unexpected name", }, }, - }, nil), - constraint: makeConstraint(nil), + }), + constraint: makeConstraint(), expectedViolations: true, }, { @@ -162,8 +137,8 @@ func TestValidation(t *testing.T) { Expression: `object.kind == "Namespace"`, }, }, - }, nil), - constraint: makeConstraint(nil), + }), + constraint: makeConstraint(), expectedViolations: false, }, { @@ -181,8 +156,8 @@ func TestValidation(t *testing.T) { Expression: `object.kind == "Pod"`, }, }, - }, nil), - constraint: makeConstraint(nil), + }), + constraint: makeConstraint(), expectedViolations: true, }, { @@ -200,8 +175,8 @@ func TestValidation(t *testing.T) { Expression: `object.metadata.name`, }, }, - }, nil), - constraint: makeConstraint(nil), + }), + constraint: makeConstraint(), expectedViolations: false, }, { @@ -213,150 +188,14 @@ func TestValidation(t *testing.T) { Message: "unexpected name", }, }, - }, nil), - constraint: makeConstraint(nil), - expectedViolations: false, - }, - // VAP generation - { - name: "Unsatisfied constraint, default assume no VAP", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(nil), - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, default assume VAP", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(nil), - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, default assume VAP, admission request", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(nil), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expectedViolations: false, - }, - { - name: "Unsatisfied constraint, default assume no VAP, admission request", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(nil), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, default assume no VAP, admission request, template override", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, ptr.To[string](string(VAPDefaultYes))), - constraint: makeConstraint(nil), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultNo), + }), + constraint: makeConstraint(), expectedViolations: false, }, - { - name: "Unsatisfied constraint, default assume no VAP, admission request, constraint override", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(ptr.To[string](string(VAPDefaultYes))), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, default assume VAP, admission request, constraint override", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, nil), - constraint: makeConstraint(ptr.To[string](string(VAPDefaultNo))), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, default assume VAP, admission request, constraint template override", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, ptr.To[string](string(VAPDefaultNo))), - constraint: makeConstraint(nil), - isAdmissionRequest: true, - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expectedViolations: true, - }, - { - name: "Unsatisfied constraint, VAP disabled (default == nil), all override", - template: makeTemplateWithSource(&schema.Source{ - Validations: []schema.Validation{ - { - Expression: `object.metadata.name == "unrecognizable-name"`, - Message: "unexpected name", - }, - }, - }, ptr.To[string](string(VAPDefaultYes))), - constraint: makeConstraint(ptr.To[string](string(VAPDefaultYes))), - isAdmissionRequest: true, - expectedViolations: true, - }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { args := []Arg{} - if test.vapDefault != nil { - args = append(args, VAPGenerationDefault(*test.vapDefault)) - } driver, err := New(args...) if err != nil { t.Fatal(err) @@ -364,7 +203,7 @@ func TestValidation(t *testing.T) { if err := driver.AddTemplate(context.Background(), test.template); err != nil { t.Fatal(err) } - response, err := driver.Query(context.Background(), "", []*unstructured.Unstructured{test.constraint}, fakeRequest(test.isAdmissionRequest)) + response, err := driver.Query(context.Background(), "", []*unstructured.Unstructured{test.constraint}, fakeRequest()) if (err != nil) != test.expectedErr { t.Errorf("wanted error state to be %v; got %v", test.expectedErr, err != nil) } @@ -374,87 +213,3 @@ func TestValidation(t *testing.T) { }) } } - -func TestAssumeVAPEnforcement(t *testing.T) { - tests := []struct { - name string - template *templates.ConstraintTemplate - vapDefault *vapDefault - expected bool - }{ - { - name: "Enabled, default not set => no consideration of VAP enforcement", - template: makeTemplate(ptr.To[string](string(VAPDefaultYes))), - expected: false, - }, - { - name: "No stance, default enabled", - template: makeTemplate(nil), - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expected: true, - }, - { - name: "No stance, default disabled", - template: makeTemplate(nil), - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expected: false, - }, - { - name: "Enabled, default 'no'", - template: makeTemplate(ptr.To[string](string(VAPDefaultYes))), - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expected: true, - }, - { - name: "Enabled, default 'yes'", - template: makeTemplate(ptr.To[string](string(VAPDefaultYes))), - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expected: true, - }, - { - name: "Disabled, default 'yes'", - template: makeTemplate(ptr.To[string](string(VAPDefaultNo))), - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expected: false, - }, - { - name: "Disabled, default 'no'", - template: makeTemplate(ptr.To[string](string(VAPDefaultNo))), - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expected: false, - }, - { - name: "Nonsense value, default not set => nonsense ignored", - template: makeTemplate(ptr.To[string]("catshaveclaws")), - expected: false, - }, - { - name: "Nonsense value, default set", - template: makeTemplate(ptr.To[string]("catshaveclaws")), - vapDefault: ptr.To[vapDefault](VAPDefaultNo), - expected: false, - }, - { - name: "Nonsense value, default set to yes", - template: makeTemplate(ptr.To[string]("catshaveclaws")), - vapDefault: ptr.To[vapDefault](VAPDefaultYes), - expected: true, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - args := []Arg{} - if test.vapDefault != nil { - args = append(args, VAPGenerationDefault(*test.vapDefault)) - } - driver, err := New(args...) - if err != nil { - t.Fatal(err) - } - assumeVAP := driver.assumeVAPEnforcement(test.template) - if assumeVAP != test.expected { - t.Errorf("wanted assumeVAP to be %v; got %v", test.expected, assumeVAP) - } - }) - } -} diff --git a/constraint/pkg/client/drivers/k8scel/schema/schema.go b/constraint/pkg/client/drivers/k8scel/schema/schema.go index 7c2a22b26..0edab1559 100644 --- a/constraint/pkg/client/drivers/k8scel/schema/schema.go +++ b/constraint/pkg/client/drivers/k8scel/schema/schema.go @@ -22,7 +22,7 @@ const ( ReservedPrefix = "gatekeeper_internal_" // ParamsName is the VAP variable constraint parameters will be bound to. ParamsName = "params" - // ObjectName is the VAP variable that describes either an object or (on DELETE requests) oldObject + // ObjectName is the VAP variable that describes either an object or (on DELETE requests) oldObject. ObjectName = "anyObject" ) @@ -61,6 +61,9 @@ type Source struct { // Variables maps to ValidatingAdmissionPolicy's `spec.variables`. Variables []Variable `json:"variables,omitempty"` + + // GenerateVAP enables/disables VAP generation and enforcement for policy. + GenerateVAP *bool `json:"generateVAP,omitempty"` } func (in *Source) Validate() error { diff --git a/constraint/pkg/core/templates/zz_generated.deepcopy.go b/constraint/pkg/core/templates/zz_generated.deepcopy.go index 3e0d52bde..58bdebb88 100644 --- a/constraint/pkg/core/templates/zz_generated.deepcopy.go +++ b/constraint/pkg/core/templates/zz_generated.deepcopy.go @@ -1,5 +1,4 @@ //go:build !ignore_autogenerated -// +build !ignore_autogenerated /* diff --git a/constraint/pkg/schema/yaml_constant.go b/constraint/pkg/schema/yaml_constant.go index b67a7deb4..d4e1b3c7e 100644 --- a/constraint/pkg/schema/yaml_constant.go +++ b/constraint/pkg/schema/yaml_constant.go @@ -7,8 +7,7 @@ const constraintTemplateCRDYaml = `apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 name: constrainttemplates.templates.gatekeeper.sh spec: group: templates.gatekeeper.sh @@ -27,14 +26,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -71,9 +75,9 @@ spec: items: properties: code: - description: The source code options for the constraint template. - "Rego" can only be specified in one place (either here or - in the "rego" field) + description: |- + The source code options for the constraint template. "Rego" can only + be specified in one place (either here or in the "rego" field) items: properties: engine: @@ -107,8 +111,9 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate - as seen by an individual controller + description: |- + ByPodStatus defines the observed state of ConstraintTemplate as seen by + an individual controller properties: errors: items: @@ -151,14 +156,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -195,9 +205,9 @@ spec: items: properties: code: - description: The source code options for the constraint template. - "Rego" can only be specified in one place (either here or - in the "rego" field) + description: |- + The source code options for the constraint template. "Rego" can only + be specified in one place (either here or in the "rego" field) items: properties: engine: @@ -231,8 +241,9 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate - as seen by an individual controller + description: |- + ByPodStatus defines the observed state of ConstraintTemplate as seen by + an individual controller properties: errors: items: @@ -275,14 +286,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -319,9 +335,9 @@ spec: items: properties: code: - description: The source code options for the constraint template. - "Rego" can only be specified in one place (either here or - in the "rego" field) + description: |- + The source code options for the constraint template. "Rego" can only + be specified in one place (either here or in the "rego" field) items: properties: engine: @@ -355,8 +371,9 @@ spec: properties: byPod: items: - description: ByPodStatus defines the observed state of ConstraintTemplate - as seen by an individual controller + description: |- + ByPodStatus defines the observed state of ConstraintTemplate as seen by + an individual controller properties: errors: items: diff --git a/constraint/vendor/modules.txt b/constraint/vendor/modules.txt index 361952db9..aaaa94d34 100644 --- a/constraint/vendor/modules.txt +++ b/constraint/vendor/modules.txt @@ -375,6 +375,8 @@ go.opentelemetry.io/proto/otlp/trace/v1 ## explicit; go 1.20 golang.org/x/exp/constraints golang.org/x/exp/slices +# golang.org/x/mod v0.17.0 +## explicit; go 1.18 # golang.org/x/net v0.25.0 ## explicit; go 1.18 golang.org/x/net/context @@ -391,7 +393,7 @@ golang.org/x/net/trace ## explicit; go 1.18 golang.org/x/oauth2 golang.org/x/oauth2/internal -# golang.org/x/sync v0.6.0 +# golang.org/x/sync v0.7.0 ## explicit; go 1.18 golang.org/x/sync/singleflight # golang.org/x/sys v0.20.0