fix: add --operation=mutation-controller flag (#2542)

* Add --operation=mutation-controller flag Signed-off-by: davis-haba <davishaba@google.com> * operations in sorted order Signed-off-by: davis-haba <davishaba@google.com> * update mutation-controller op docs to indicate audit may also need the flag Signed-off-by: davis-haba <davishaba@google.com> --------- Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
open-policy-agent · Jan 31, 2023 · 5ab923e · 5ab923e
1 parent 16d7929
commit 5ab923e
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 29 deletions.
diff --git a/pkg/controller/mutators/core/reconciler_test.go b/pkg/controller/mutators/core/reconciler_test.go
@@ -402,7 +402,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   true,
 					Errors:     nil,
 				},
@@ -434,7 +434,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   true,
 					Errors:     nil,
 				},
@@ -494,7 +494,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   false,
 					Errors:     []statusv1beta1.MutatorError{{Message: newErrSome(1).Error()}},
 				},
@@ -535,7 +535,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   false,
 					Errors: []statusv1beta1.MutatorError{
 						{
@@ -634,7 +634,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   false,
 					Errors: []statusv1beta1.MutatorError{
 						{
@@ -685,7 +685,7 @@ func TestReconciler_Reconcile(t *testing.T) {
 				},
 				Status: statusv1beta1.MutatorPodStatusStatus{
 					ID:         "no-pod",
-					Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+					Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 					Enforced:   true,
 					Errors:     nil,
 				},
@@ -940,7 +940,7 @@ func TestReconciler_Reconcile_DeletePodStatus(t *testing.T) {
 		},
 		Status: statusv1beta1.MutatorPodStatusStatus{
 			ID:         "no-pod",
-			Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"},
+			Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"},
 			Enforced:   true,
 		},
 	}

diff --git a/pkg/mutation/mutation.go b/pkg/mutation/mutation.go
@@ -34,5 +34,5 @@ func init() {
 
 // Enabled indicates if the mutation feature is enabled.
 func Enabled() bool {
-	return operations.IsAssigned(operations.MutationStatus) || operations.IsAssigned(operations.MutationWebhook)
+	return operations.IsAssigned(operations.MutationStatus) || operations.IsAssigned(operations.MutationWebhook) || operations.IsAssigned(operations.MutationController)
 }
diff --git a/pkg/operations/operations.go b/pkg/operations/operations.go
@@ -15,22 +15,23 @@ type Operation string
 
 // All defined Operations.
 const (
-	Audit           = Operation("audit")
-	Status          = Operation("status")
-	MutationStatus  = Operation("mutation-status")
-	MutationWebhook = Operation("mutation-webhook")
-	Webhook         = Operation("webhook")
+	Audit              = Operation("audit")
+	MutationController = Operation("mutation-controller")
+	MutationStatus     = Operation("mutation-status")
+	MutationWebhook    = Operation("mutation-webhook")
+	Status             = Operation("status")
+	Webhook            = Operation("webhook")
 )
 
 var (
 	// allOperations is a list of all possible Operations that can be assigned to
-	// a pod. It is NOT intended to be mutated. It should be kept in alphabetical
-	// order so that it can be readily compared to the results from AssignedOperations.
+	// a pod. It is NOT intended to be mutated.
 	allOperations = []Operation{
 		Audit,
-		Status,
+		MutationController,
 		MutationStatus,
 		MutationWebhook,
+		Status,
 		Webhook,
 	}
 
@@ -85,18 +86,6 @@ func init() {
 	flag.Var(operations, "operation", "The operation to be performed by this instance. e.g. audit, webhook. This flag can be declared more than once. Omitting will default to supporting all operations.")
 }
 
-// AssignedOperations returns a map of operations assigned to the pod.
-func AssignedOperations() map[Operation]bool {
-	ret := make(map[Operation]bool)
-	operationsMtx.RLock()
-	defer operationsMtx.RUnlock()
-
-	for k, v := range operations.assignedOperations {
-		ret[k] = v
-	}
-	return ret
-}
-
 // IsAssigned returns true when the provided operation is assigned to the pod.
 func IsAssigned(op Operation) bool {
 	operationsMtx.RLock()

diff --git a/pkg/operations/operations_test.go b/pkg/operations/operations_test.go
@@ -15,7 +15,7 @@ func Test_Flags(t *testing.T) {
 	}{
 		"default": {
 			input:    []string{},
-			expected: map[Operation]bool{Audit: true, Webhook: true, Status: true, MutationStatus: true, MutationWebhook: true},
+			expected: map[Operation]bool{Audit: true, Webhook: true, Status: true, MutationStatus: true, MutationWebhook: true, MutationController: true},
 		},
 		"multiple": {
 			input:    []string{"-operation", "audit", "-operation", "webhook"},

diff --git a/website/docs/operations.md b/website/docs/operations.md
@@ -153,6 +153,29 @@ At a high level, this requires:
 * The ability to write to all objects in the group `mutations.gatekeeper.sh` (mutators)
 * The ability to read `MutatorPodStatus` objects in Gatekeeper's namespace
 
+## Mutation Controller
+
+__--operation key:__ `mutation-controller`
+
+This operation runs the process responsible for ingesting and registering
+mutators. `mutation-controller` is run implicitly with the `mutation-webhook`
+and `mutation-status` operations, and is redundant if any of the 2
+aforementioned operations are already specified. 
+
+If the `webhook` or `audit` operation is used in isolation without the `mutation-webhook`
+or `mutation-status` operations, then the `mutation-controller` operation is
+required for mutation to work with [workload expansion](workload-resources.md).
+
+### Required Behaviors:
+
+At a high level, this requires:
+
+* Ingesting Mutator objects
+
+### Permissions Required
+
+* The ability to read all objects in the group `mutations.gatekeeper.sh` (mutators)
+
 # A Note on Permissions
 
 "Create" implies the `create` and `delete` permissions in addition to the permissions implied by "Read" and "Write".