chore: disable http.send by default (#1867)

* disable http.send by default Signed-off-by: Sertac Ozercan <sozercan@gmail.com> * add docs Signed-off-by: Sertac Ozercan <sozercan@gmail.com> * Update website/docs/customize-startup.md Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Signed-off-by: Sertac Ozercan <sozercan@gmail.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
open-policy-agent · Feb 24, 2022 · 1f8b3ea · 1f8b3ea
1 parent 7740642
commit 1f8b3ea
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 2 deletions.
diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -106,7 +106,7 @@ pdb:
   controllerManager:
     minAvailable: 1
 service: {}
-disabledBuiltins:
+disabledBuiltins: ["{http.send}"]
 psp:
   enabled: true
 upgradeCRDs:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -51,6 +51,7 @@ spec:
             - "--exempt-namespace=gatekeeper-system"
             - "--operation=webhook"
             - "--operation=mutation-webhook"
+            - "--disable-opa-builtin={http.send}"
           image: openpolicyagent/gatekeeper:v3.7.0
           imagePullPolicy: Always
           name: manager
@@ -128,6 +129,7 @@ spec:
             - --operation=audit
             - --operation=status
             - --logtostderr
+            - --disable-opa-builtin={http.send}
           command:
             - /manager
           env:

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -106,7 +106,7 @@ pdb:
   controllerManager:
     minAvailable: 1
 service: {}
-disabledBuiltins:
+disabledBuiltins: ["{http.send}"]
 psp:
   enabled: true
 upgradeCRDs:

diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml
@@ -2326,6 +2326,7 @@ spec:
         - --operation=audit
         - --operation=status
         - --logtostderr
+        - --disable-opa-builtin={http.send}
         command:
         - /manager
         env:
@@ -2429,6 +2430,7 @@ spec:
         - --exempt-namespace=gatekeeper-system
         - --operation=webhook
         - --operation=mutation-webhook
+        - --disable-opa-builtin={http.send}
         command:
         - /manager
         env:

diff --git a/website/docs/customize-startup.md b/website/docs/customize-startup.md
@@ -17,6 +17,10 @@ The `--enable-pprof` flag enables an HTTP server for profiling using the [pprof]
 
 By default, Gatekeeper uses [`open-policy-agent/cert-controller`](https://github.com/open-policy-agent/cert-controller) to handle the webhook's certificate rotation and generation. If you want to use a third-party solution, you may disable the cert-controller feature using `--disable-cert-rotation`.
 
+## Disable OPA built-in functions
+
+The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](https://www.openpolicyagent.org/docs/v0.37.2/policy-reference/#built-in-functions). Starting with v3.8.0, Gatekeeper disables the `http.send` built-in function by default. For more information, please see [external data](./externaldata.md#motivation).
+
 ## [Alpha] Emit admission and audit events
 
 The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default.

diff --git a/website/versioned_docs/version-v3.6.x/customize-startup.md b/website/versioned_docs/version-v3.6.x/customize-startup.md
@@ -17,6 +17,10 @@ The `--enable-pprof` flag enables an HTTP server for profiling using the [pprof]
 
 By default, Gatekeeper uses [`open-policy-agent/cert-controller`](https://github.com/open-policy-agent/cert-controller) to handle the webhook's certificate rotation and generation. If you want to use a third-party solution, you may disable the cert-controller feature using `--disable-cert-rotation`.
 
+## Disable OPA built-in functions
+
+The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](https://www.openpolicyagent.org/docs/v0.37.2/policy-reference/#built-in-functions).
+
 ## [Alpha] Emit admission and audit events
 
 The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default.

diff --git a/website/versioned_docs/version-v3.7.x/customize-startup.md b/website/versioned_docs/version-v3.7.x/customize-startup.md
@@ -17,6 +17,10 @@ The `--enable-pprof` flag enables an HTTP server for profiling using the [pprof]
 
 By default, Gatekeeper uses [`open-policy-agent/cert-controller`](https://github.com/open-policy-agent/cert-controller) to handle the webhook's certificate rotation and generation. If you want to use a third-party solution, you may disable the cert-controller feature using `--disable-cert-rotation`.
 
+## Disable OPA built-in functions
+
+The `--disable-opa-builtin` flag disables specific [OPA built-ins functions](https://www.openpolicyagent.org/docs/v0.37.2/policy-reference/#built-in-functions).
+
 ## [Alpha] Emit admission and audit events
 
 The `--emit-admission-events` flag enables the emission of all admission violations as Kubernetes events in the Gatekeeper namespace. This flag is in alpha stage and it is set to `false` by default.