From 546c93d342158b64bf89af5dc465a97fbd77a367 Mon Sep 17 00:00:00 2001 From: Julian Dolce Date: Fri, 12 Feb 2021 05:42:24 -0500 Subject: [PATCH] feat: Allow Helm to manage namespace where objects are created. If Values.createNamespace=true, which it is by default, a 'gatekeeper-system' Namespace will be created, and all objects created within it. If it is set to false, a Namespace is not created, and the Helm release namespace is used. Signed-off-by: Julian Dolce --- .github/workflows/workflow.yaml | 9 +++--- Makefile | 17 ++++++++--- cmd/build/helmify/kustomization.yaml | 1 + cmd/build/helmify/kustomize-for-helm.yaml | 2 +- cmd/build/helmify/main.go | 10 +++++++ .../helmify/static/templates/_helpers.tpl | 12 ++++++++ .../charts/gatekeeper/templates/_helpers.tpl | 12 ++++++++ .../gatekeeper-admin-serviceaccount.yaml | 2 +- .../gatekeeper-audit-deployment.yaml | 2 +- ...ekeeper-controller-manager-deployment.yaml | 4 +-- ...ontroller-manager-poddisruptionbudget.yaml | 2 +- .../gatekeeper-manager-role-role.yaml | 2 +- ...anager-rolebinding-clusterrolebinding.yaml | 2 +- ...eeper-manager-rolebinding-rolebinding.yaml | 4 +-- .../gatekeeper-system-namespace.yaml | 2 +- ...ration-validatingwebhookconfiguration.yaml | 4 +-- ...gatekeeper-webhook-server-cert-secret.yaml | 2 +- .../gatekeeper-webhook-service-service.yaml | 2 +- test/bats/helpers.bash | 6 ++-- test/bats/test.bats | 29 ++++++++++--------- test/bats/tests/sync.yaml | 1 - test/bats/tests/sync_with_exclusion.yaml | 1 - 22 files changed, 86 insertions(+), 42 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index d6760fba3ca..512c76eaa52 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -132,6 +132,7 @@ jobs: strategy: matrix: HELM_VERSION: ["2.17.0", "3.4.2"] + GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"] steps: - name: Check out code into the Go module directory uses: actions/checkout@v2 @@ -145,13 +146,13 @@ jobs: - name: Run e2e run: | make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest - make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} - make test-e2e + make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} + make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} - name: Save logs run: | - kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-controller.json - kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-audit.json + kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json + kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json - name: Upload artifacts uses: actions/upload-artifact@v2 diff --git a/Makefile b/Makefile index 644254914f6..56cac34c8c7 100644 --- a/Makefile +++ b/Makefile @@ -15,6 +15,8 @@ KUSTOMIZE_VERSION ?= 3.8.8 BATS_VERSION ?= 1.2.1 KUBECTL_KUSTOMIZE_VERSION ?= 1.20.1-${KUSTOMIZE_VERSION} HELM_VERSION ?= 2.17.0 +HELM_ARGS ?= +GATEKEEPER_NAMESPACE ?= gatekeeper-system BUILD_COMMIT := $(shell ./build/get-build-commit.sh) BUILD_TIMESTAMP := $(shell ./build/get-build-timestamp.sh) @@ -40,7 +42,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --port=8443\ \n - --logtostderr\ \n - --emit-admission-events\ -\n - --exempt-namespace=gatekeeper-system\ +\n - --exempt-namespace=${GATEKEEPER_NAMESPACE}\ \n - --operation=webhook\ \n---\ \napiVersion: apps/v1\ @@ -110,7 +112,7 @@ e2e-build-load-image: docker-buildx kind load docker-image --name kind ${IMG} e2e-verify-release: patch-image deploy test-e2e - echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n gatekeeper-system -l control-plane=controller-manager + echo -e '\n\n======= manager logs =======\n\n' && kubectl logs -n ${GATEKEEPER_NAMESPACE} -l control-plane=controller-manager e2e-helm-install: rm -rf .staging/helm @@ -120,13 +122,20 @@ e2e-helm-install: ./.staging/helm/linux-amd64/helm version --client e2e-helm-deploy: e2e-helm-install +ifneq ($(GATEKEEPER_NAMESPACE),gatekeeper-system) + kubectl create namespace $(GATEKEEPER_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f - + kubectl label ns $(GATEKEEPER_NAMESPACE) admission.gatekeeper.sh/ignore=no-self-managing + kubectl label ns $(GATEKEEPER_NAMESPACE) gatekeeper.sh/system="yes" + $(eval HELM_ARGS := --namespace $(GATEKEEPER_NAMESPACE) --set createNamespace=false) +endif + @if [ $$(echo ${HELM_VERSION} | head -c 1) = "2" ]; then\ kubectl create clusterrolebinding tiller-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default;\ ./.staging/helm/linux-amd64/helm init --wait --history-max=5;\ kubectl -n kube-system wait --for=condition=Ready pod -l name=tiller --timeout=300s;\ - ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ + ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name=gatekeeper --debug ${HELM_ARGS} --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ else\ - ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ + ./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper ${HELM_ARGS} --debug --set image.repository=${HELM_REPO} --set image.release=${HELM_RELEASE} --set emitAdmissionEvents=true --set emitAuditEvents=true;\ fi; e2e-helm-upgrade-init: e2e-helm-install diff --git a/cmd/build/helmify/kustomization.yaml b/cmd/build/helmify/kustomization.yaml index a67b522722c..373057259bf 100644 --- a/cmd/build/helmify/kustomization.yaml +++ b/cmd/build/helmify/kustomization.yaml @@ -1,3 +1,4 @@ +namespace: '{{ include "gatekeeper.namespace" . }}' commonLabels: app: '{{ template "gatekeeper.name" . }}' chart: '{{ template "gatekeeper.name" . }}' diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 7e8530d0234..114d2edd2d8 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -63,7 +63,7 @@ spec: - --logtostderr - --emit-admission-events={{ .Values.emitAdmissionEvents }} - --log-level={{ .Values.logLevel }} - - --exempt-namespace=gatekeeper-system + - --exempt-namespace={{ include "gatekeeper.namespace" . }} - --operation=webhook imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index b14a1ab899c..75ee472b3f0 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -40,6 +40,13 @@ func extractName(s string) (string, error) { return strings.Trim(matches[1], `"'`), nil } +//extractNamespaceName returns the default "gatekeeper-system" namespace. +//Because the namespace is '{{ include "gatekeeper.namespace" . }}' it fails to be found in extractName. +//There should only ever be 1 Namespace so this should be safe +func extractNamespaceName(s string) (string, error) { + return "gatekeeper-system", nil +} + func extractCRDKind(obj string) (string, error) { crd := &apiextensionsv1beta1.CustomResourceDefinition{} if err := yaml.Unmarshal([]byte(obj), crd); err != nil { @@ -81,7 +88,10 @@ func (ks *kindSet) Write() error { return err } } + } else if kind == "Namespace" { + nameExtractor = extractNamespaceName } + for _, obj := range objs { name, err := nameExtractor(obj) if err != nil { diff --git a/cmd/build/helmify/static/templates/_helpers.tpl b/cmd/build/helmify/static/templates/_helpers.tpl index c4139773acb..9c68e63f914 100644 --- a/cmd/build/helmify/static/templates/_helpers.tpl +++ b/cmd/build/helmify/static/templates/_helpers.tpl @@ -1,3 +1,15 @@ +{{/* +If createNamespace is set to true, sets the namespace to "gatekeeper-system" +If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }} +*/}} +{{- define "gatekeeper.namespace" -}} +{{- if .Values.createNamespace }} +{{- printf "gatekeeper-system" }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end -}} + {{/* Expand the name of the chart. */}} diff --git a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl index c4139773acb..9c68e63f914 100644 --- a/manifest_staging/charts/gatekeeper/templates/_helpers.tpl +++ b/manifest_staging/charts/gatekeeper/templates/_helpers.tpl @@ -1,3 +1,15 @@ +{{/* +If createNamespace is set to true, sets the namespace to "gatekeeper-system" +If createNamespace is set to false, sets the namespace to the {{ .Release.Namespace }} +*/}} +{{- define "gatekeeper.namespace" -}} +{{- if .Values.createNamespace }} +{{- printf "gatekeeper-system" }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end -}} + {{/* Expand the name of the chart. */}} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml index 1d329971f6f..e110bd9300b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-admin-serviceaccount.yaml @@ -8,4 +8,4 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-admin - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 889a539fb56..f99bea0be1e 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -10,7 +10,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-audit - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' spec: replicas: 1 selector: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 2f78c18ae7e..699e55813a9 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -10,7 +10,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-controller-manager - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' spec: replicas: {{ .Values.replicas }} selector: @@ -45,7 +45,7 @@ spec: - --logtostderr - --emit-admission-events={{ .Values.emitAdmissionEvents }} - --log-level={{ .Values.logLevel }} - - --exempt-namespace=gatekeeper-system + - --exempt-namespace={{ include "gatekeeper.namespace" . }} - --operation=webhook command: - /manager diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml index 38f29d1f279..f33c454ee32 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-controller-manager - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' spec: minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} selector: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 38c3d3110f8..28617a41028 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -9,7 +9,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-manager-role - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' rules: - apiGroups: - "" diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 72187373143..0dfdfe57681 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -15,4 +15,4 @@ roleRef: subjects: - kind: ServiceAccount name: gatekeeper-admin - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index 03dfa2a8326..9b3ecfcab3c 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-manager-rolebinding - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -16,4 +16,4 @@ roleRef: subjects: - kind: ServiceAccount name: gatekeeper-admin - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml index 3292d840aa5..9e6f1cc688a 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-system-namespace.yaml @@ -10,5 +10,5 @@ metadata: gatekeeper.sh/system: "yes" heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' - name: gatekeeper-system + name: '{{ include "gatekeeper.namespace" . }}' {{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml index 014fba642b9..b4c381792c0 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -14,7 +14,7 @@ webhooks: caBundle: Cg== service: name: gatekeeper-webhook-service - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' path: /v1/admit failurePolicy: Ignore name: validation.gatekeeper.sh @@ -41,7 +41,7 @@ webhooks: caBundle: Cg== service: name: gatekeeper-webhook-service - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' path: /v1/admitlabel failurePolicy: Fail name: check-ignore-label.gatekeeper.sh diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml index 0a5b0e27f2f..48f92640760 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -9,4 +9,4 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-webhook-server-cert - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml index ef141810f65..a37cb1af254 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-webhook-service-service.yaml @@ -8,7 +8,7 @@ metadata: heritage: '{{ .Release.Service }}' release: '{{ .Release.Name }}' name: gatekeeper-webhook-service - namespace: gatekeeper-system + namespace: '{{ include "gatekeeper.namespace" . }}' spec: ports: - port: 443 diff --git a/test/bats/helpers.bash b/test/bats/helpers.bash index ff3f99e2c29..05817d1126a 100644 --- a/test/bats/helpers.bash +++ b/test/bats/helpers.bash @@ -67,16 +67,16 @@ wait_for_process() { get_ca_cert() { destination="$1" - if [ $(kubectl get secret -n gatekeeper-system gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then + if [ $(kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | wc -w) -eq 0 ]; then return 1 fi - kubectl get secret -n gatekeeper-system gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | base64 -d >$destination + kubectl get secret -n ${GATEKEEPER_NAMESPACE} gatekeeper-webhook-server-cert -o jsonpath='{.data.ca\.crt}' | base64 -d >$destination } constraint_enforced() { local kind="$1" local name="$2" - local pod_list="$(kubectl -n gatekeeper-system get pod -l gatekeeper.sh/operation=webhook -o json)" + local pod_list="$(kubectl -n ${GATEKEEPER_NAMESPACE} get pod -l gatekeeper.sh/operation=webhook -o json)" if [[ $? -ne 0 ]]; then echo "error gathering pods" return 1 diff --git a/test/bats/test.bats b/test/bats/test.bats index a205b843917..4a7048f9e2e 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -6,6 +6,7 @@ BATS_TESTS_DIR=test/bats/tests WAIT_TIME=120 SLEEP_TIME=1 CLEAN_CMD="echo cleaning..." +GATEKEEPER_NAMESPACE=${GATEKEEPER_NAMESPACE:-gatekeeper-system} teardown() { bash -c "${CLEAN_CMD}" @@ -14,15 +15,15 @@ teardown() { teardown_file() { kubectl delete ns gatekeeper-test-playground gatekeeper-excluded-namespace || true kubectl delete constrainttemplates k8scontainerlimits k8srequiredlabels k8suniquelabel || true - kubectl delete configs.config.gatekeeper.sh config -n gatekeeper-system || true + kubectl delete configs.config.gatekeeper.sh config -n ${GATEKEEPER_NAMESPACE} || true } @test "gatekeeper-controller-manager is running" { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n gatekeeper-system wait --for=condition=Ready --timeout=60s pod -l control-plane=controller-manager" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=controller-manager" } @test "gatekeeper-audit is running" { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n gatekeeper-system wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller" } @test "namespace label webhook is serving" { @@ -34,7 +35,7 @@ teardown_file() { kubectl wait --for=condition=Ready --timeout=60s pod temp kubectl cp ${cert} temp:/cacert - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl -f --cacert /cacert --connect-timeout 1 --max-time 2 https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl -f --cacert /cacert --connect-timeout 1 --max-time 2 https://gatekeeper-webhook-service.${GATEKEEPER_NAMESPACE}.svc:443/v1/admitlabel" kubectl delete pod temp } @@ -75,7 +76,7 @@ teardown_file() { } @test "applying sync config" { - kubectl apply -f ${BATS_TESTS_DIR}/sync.yaml + kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync.yaml } # creating namespaces and audit constraints early so they will have time to reconcile @@ -95,8 +96,8 @@ teardown_file() { assert_failure } -@test "gatekeeper-system ignore label can be patched" { - kubectl patch ns gatekeeper-system --type=json -p='[{"op": "replace", "path": "/metadata/labels/admission.gatekeeper.sh~1ignore", "value": "ignore-label-test-passed"}]' +@test "gatekeeper ns ignore label can be patched" { + kubectl patch ns ${GATEKEEPER_NAMESPACE} --type=json -p='[{"op": "replace", "path": "/metadata/labels/admission.gatekeeper.sh~1ignore", "value": "ignore-label-test-passed"}]' } @test "required labels dryrun test" { @@ -140,8 +141,8 @@ teardown_file() { kubectl wait --for=condition=Ready --timeout=60s pod temp num_namespaces=$(kubectl get ns -o json | jq '.items | length') - local pod_ip="$(kubectl -n gatekeeper-system get pod -l gatekeeper.sh/operation=webhook -ojson | jq --raw-output '[.items[].status.podIP][0]' | sed 's#\.#-#g')" - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl http://${pod_ip}.gatekeeper-system.pod:8888/metrics | grep 'gatekeeper_sync{kind=\"Namespace\",status=\"active\"} ${num_namespaces}'" + local pod_ip="$(kubectl -n ${GATEKEEPER_NAMESPACE} get pod -l gatekeeper.sh/operation=webhook -ojson | jq --raw-output '[.items[].status.podIP][0]' | sed 's#\.#-#g')" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl exec -it temp -- curl http://${pod_ip}.${GATEKEEPER_NAMESPACE}.pod:8888/metrics | grep 'gatekeeper_sync{kind=\"Namespace\",status=\"active\"} ${num_namespaces}'" kubectl delete pod temp } @@ -185,14 +186,14 @@ __required_labels_audit_test() { @test "emit events test" { # list events for easy debugging - kubectl get events -n gatekeeper-system - events=$(kubectl get events -n gatekeeper-system --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') + kubectl get events -n ${GATEKEEPER_NAMESPACE} + events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=FailedAdmission -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') [[ "$events" -ge 1 ]] - events=$(kubectl get events -n gatekeeper-system --field-selector reason=DryrunViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') + events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=DryrunViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') [[ "$events" -ge 1 ]] - events=$(kubectl get events -n gatekeeper-system --field-selector reason=AuditViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') + events=$(kubectl get events -n ${GATEKEEPER_NAMESPACE} --field-selector reason=AuditViolation -o json | jq -r '.items[] | select(.metadata.annotations.constraint_kind=="K8sRequiredLabels" )' | jq -s '. | length') [[ "$events" -ge 1 ]] } @@ -204,6 +205,6 @@ __required_labels_audit_test() { assert_match 'denied the request' "${output}" assert_failure - kubectl apply -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml + kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl create configmap should-succeed -n gatekeeper-excluded-namespace" } diff --git a/test/bats/tests/sync.yaml b/test/bats/tests/sync.yaml index 207a56e394d..8e555d6c7b6 100644 --- a/test/bats/tests/sync.yaml +++ b/test/bats/tests/sync.yaml @@ -2,7 +2,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config - namespace: "gatekeeper-system" spec: sync: syncOnly: diff --git a/test/bats/tests/sync_with_exclusion.yaml b/test/bats/tests/sync_with_exclusion.yaml index 37fde80ee68..04f3c014dbc 100644 --- a/test/bats/tests/sync_with_exclusion.yaml +++ b/test/bats/tests/sync_with_exclusion.yaml @@ -2,7 +2,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1 kind: Config metadata: name: config - namespace: "gatekeeper-system" spec: match: - excludedNamespaces: ["gatekeeper-excluded-namespace"]