Add warn enforcement action

[sozercan]

Signed-off-by: Sertac Ozercan sozercan@gmail.com

What this PR does / why we need it:
Creates a new enforcement action called warn that provides a warning during admission (only difference compared to dryrun). Requires Kubernetes v1.19+ clusters. For non-v1.19+ clusters, it behaves identical to dryrun.

$ kubectl apply pause.yaml
Warning: [denied by prod-repo-is-openpolicyagent] container <pause> has an invalid image repo <mcr.microsoft.com/oss/kubernetes/pause:1.4.0>, allowed repos are ["only-this-repo"]
pod/pause created

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Closes #701

Special notes for your reviewer:
This can also be merged into dryrun since functionality is very similar.

[codecov-io]

Codecov Report

Merging #1107 (27cd3cf) into master (321d8a8) will decrease coverage by 0.07%.
The diff coverage is 12.19%.

@@            Coverage Diff             @@
##           master    #1107      +/-   ##
==========================================
- Coverage   49.17%   49.10%   -0.08%     
==========================================
  Files          63       63              
  Lines        4390     4423      +33     
==========================================
+ Hits         2159     2172      +13     
- Misses       1970     1993      +23     
+ Partials      261      258       -3     

Flag	Coverage Δ
unittests	49.10% <12.19%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/webhook/policy.go	28.62% <11.11%> (-2.82%)	⬇️
pkg/util/enforcement_action.go	25.00% <100.00%> (ø)
...onstrainttemplate/constrainttemplate_controller.go	58.89% <0.00%> (+3.23%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 321d8a8...27cd3cf. Read the comment docs.

[maxsmythe]

We should also test that the correct message is going to the correct response field, event type and log line.

[ritazh]

At highlevel, we should decide on what is the expected user experience for admission response for each enforcementAction should be.
Here is a proposal:

• dryrun: no warning, no deny message
• warning: warning message, no deny message
• deny: deny message, no warning

Both deny and dryrun should behave the same as they do today.

WDYT?

[maxsmythe]

SGTM

What about when there are multiple violations?

say: 1 deny, 1 dryrun, 1 warning

What gets returned?

[sozercan]

I am thinking:

• no message for dryrun
• "would have denied by" warning for warn
• "denied by" for deny as the actual admission response

which will end as deny.

[ritazh]

What about when there are multiple violations?
say: 1 deny, 1 dryrun, 1 warning
What gets returned?

This would return: 1 warning and 1 deny

[maxsmythe]

SGTM

[maxsmythe]

What events and logs get written?

[sozercan]

For log-denies, we don't differentiate between dryrun and deny today, so warn should be same.

For events, we can make a new reason called WarningAdmission (+1 here) or WarningViolation (we are calling FailedAdmission for deny events and DryrunViolation for dryrun events).

Thoughts?

However, if we create a new reason, we won't be able to fallback to dryrun reason for pre-1.19 cluster.

[maxsmythe]

Per

gatekeeper/pkg/webhook/policy.go

Lines 214 to 223 in db5a580

	if r.EnforcementAction == "deny" || r.EnforcementAction == "dryrun" {
	if *logDenies {
	log.WithValues(
	logging.Process, "admission",
	logging.EventType, "violation",
	logging.ConstraintName, r.Constraint.GetName(),
	logging.ConstraintGroup, r.Constraint.GroupVersionKind().Group,
	logging.ConstraintAPIVersion, r.Constraint.GroupVersionKind().Version,
	logging.ConstraintKind, r.Constraint.GetKind(),
	logging.ConstraintAction, r.EnforcementAction,

--log-denies reports the enforcement action on the constraint, we should continue with that. IMO we can also drop the

if r.EnforcementAction == "deny" || r.EnforcementAction == "dryrun" {

line, and just report any violation we see as we see it.

Per

gatekeeper/pkg/webhook/policy.go

Line 240 in db5a580

logging.ConstraintAction: r.EnforcementAction,

events are currently emitted with the enforcement action as-written written as an annotation. IMO that works as-is.

WRT event reasons...

I don't think we are coupled to the K8s admission webhook here, so there is no risk in adding a new reason for a new violation type. Users who don't use warning will not see any new behavior. Users who do will see the appropriate event reason in their cluster regardless of K8s version.

Another question is... what purpose do we want Event reason to serve? Is it a proxy for the enforcement action, which is how it's currently written? Is it more about categorizing the events between "those that cause rejections and those that dont", and users have the ability to dig deeper by looking at the event annotations?

If the later, we should change the text for reason. We have wriggle room to do so b/c events are still alpha.

[sozercan]

@maxsmythe @ritazh updated this per the discussion above. let me know what you think

• added would have denied by text to warning
• multiple violations with different enforcement actions will return both warning and deny. In case of deny, resource will get denied.
• created a new event type called WarningAdmission

[maxsmythe]

Looking close! A couple of nits and a question about word choice for "warning" events.

[maxsmythe]

"would have denied the request" seems more appropriate for dryrun, where we are presumably dry-running against a future deny. The request "would have been rejected" if this had not been a dry run.

"raised a warning for this request" maybe?

[sozercan]

updated eventMsg. should we change warning message to include raised a warning for this request too?

so it's either
Warning: [would have denied by cm-must-have-gk] you must provide labels: {"gatekeeper"}

or

Warning: [cm-must-have-gk raised a warning for this request] you must provide labels: {"gatekeeper"}

[maxsmythe]

Why not just:

Warning: [cm-must-have-gk] you must provide labels: {"gatekeeper"}

?

It sounds like kubectl is responsible for providing the context about what is a warning vs. not?

[maxsmythe]

Ah, I see we're adding "denied by" by default.

We could use [warning from cm-must-have-gk] .....

[sozercan]

Warning: in the beginning is automatically added, so that'll be

Warning: [warning from cm-must-have-gk] you must provide labels: {"gatekeeper"}

[sozercan]

Remove both denied by ... and would have denied by ...?

for 1 warning, 1 deny:

Warning: [cm-must-have-gk] you must provide labels: {"gatekeeper"}
Error from server ([deny-all-deny] DATA: {}): error when creating "test/bats/tests/bad/bad_cm.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-deny] DATA: {}

[maxsmythe]

I like that approach, personally.

[sozercan]

Wouldn't this change existing behavior/expectation though? especially if users have been parsing that string

@ritazh wdyt?

[maxsmythe]

It would change existing behavior. I suppose whether that matters depends on whether we view the string format as part of our API. I'd consider these intended to be human-readable, and therefore not part of the API.

HTTP status codes and the API as defined by K8s should be what machines rely on.

[sozercan]

updated

[maxsmythe]

Also, it looks like hte unit tests are failing?

[maxsmythe]

LGTM!