-
Notifications
You must be signed in to change notification settings - Fork 732
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add warn enforcement action #1107
Conversation
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Codecov Report
@@ Coverage Diff @@
## master #1107 +/- ##
==========================================
- Coverage 49.17% 49.10% -0.08%
==========================================
Files 63 63
Lines 4390 4423 +33
==========================================
+ Hits 2159 2172 +13
- Misses 1970 1993 +23
+ Partials 261 258 -3
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
pkg/webhook/policy_test.go
Outdated
resDeny, | ||
resWarn, | ||
}, | ||
ExpectedMsgCount: 2, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also test that the correct message is going to the correct response field, event type and log line.
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
At highlevel, we should decide on what is the expected user experience for admission response for each enforcementAction should be.
Both deny and dryrun should behave the same as they do today. WDYT? |
SGTM What about when there are multiple violations? say: 1 deny, 1 dryrun, 1 warning What gets returned? |
I am thinking:
which will end as deny. |
This would return: 1 warning and 1 deny |
SGTM |
What events and logs get written? |
For log-denies, we don't differentiate between dryrun and deny today, so warn should be same. For events, we can make a new reason called Thoughts? However, if we create a new reason, we won't be able to fallback to dryrun reason for pre-1.19 cluster. |
Per gatekeeper/pkg/webhook/policy.go Lines 214 to 223 in db5a580
line, and just report any violation we see as we see it. Per gatekeeper/pkg/webhook/policy.go Line 240 in db5a580
events are currently emitted with the enforcement action as-written written as an annotation. IMO that works as-is. WRT event reasons... I don't think we are coupled to the K8s admission webhook here, so there is no risk in adding a new reason for a new violation type. Users who don't use Another question is... what purpose do we want Event reason to serve? Is it a proxy for the enforcement action, which is how it's currently written? Is it more about categorizing the events between "those that cause rejections and those that dont", and users have the ability to dig deeper by looking at the event annotations? If the later, we should change the text for |
@maxsmythe @ritazh updated this per the discussion above. let me know what you think
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking close! A couple of nits and a question about word choice for "warning" events.
pkg/webhook/policy.go
Outdated
eventMsg = "Dryrun violation" | ||
reason = "DryrunViolation" | ||
case string(util.Warn): | ||
eventMsg = "Admission webhook \"validation.gatekeeper.sh\" would have denied the request" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"would have denied the request" seems more appropriate for dryrun, where we are presumably dry-running against a future deny. The request "would have been rejected" if this had not been a dry run.
"raised a warning for this request" maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated eventMsg
. should we change warning message to include raised a warning for this request
too?
so it's either
Warning: [would have denied by cm-must-have-gk] you must provide labels: {"gatekeeper"}
or
Warning: [cm-must-have-gk raised a warning for this request] you must provide labels: {"gatekeeper"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not just:
Warning: [cm-must-have-gk] you must provide labels: {"gatekeeper"}
?
It sounds like kubectl is responsible for providing the context about what is a warning vs. not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see we're adding "denied by" by default.
We could use [warning from cm-must-have-gk] .....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Warning:
in the beginning is automatically added, so that'll be
Warning: [warning from cm-must-have-gk] you must provide labels: {"gatekeeper"}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove both denied by ...
and would have denied by ...
?
for 1 warning, 1 deny:
Warning: [cm-must-have-gk] you must provide labels: {"gatekeeper"}
Error from server ([deny-all-deny] DATA: {}): error when creating "test/bats/tests/bad/bad_cm.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-deny] DATA: {}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like that approach, personally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't this change existing behavior/expectation though? especially if users have been parsing that string
@ritazh wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would change existing behavior. I suppose whether that matters depends on whether we view the string format as part of our API. I'd consider these intended to be human-readable, and therefore not part of the API.
HTTP status codes and the API as defined by K8s should be what machines rely on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
Also, it looks like hte unit tests are failing? |
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Signed-off-by: Sertac Ozercan sozercan@gmail.com
What this PR does / why we need it:
Creates a new enforcement action called
warn
that provides a warning during admission (only difference compared todryrun
). Requires Kubernetes v1.19+ clusters. For non-v1.19+ clusters, it behaves identical todryrun
.Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Closes #701
Special notes for your reviewer:
This can also be merged into
dryrun
since functionality is very similar.