Convert to using beta resources. #190
Conversation
This also adds in auto-generation of the deploy/gatekeeper.yaml file. Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
| @@ -26,7 +26,7 @@ var log = logf.Log.WithName("controller").WithValues("metaKind", "audit") | |||
|
|
|||
| const ( | |||
| crdName = "constrainttemplates.templates.gatekeeper.sh" | |||
| constraintsGV = "constraints.gatekeeper.sh/v1alpha1" | |||
| constraintsGV = "constraints.gatekeeper.sh/v1beta1" | |||
There was a problem hiding this comment.
What if users have both v1alpha1 and v1beta1 constraints in the system? This update will only look for the v1beta1 constraints.
There was a problem hiding this comment.
Story time :)
This isn't an issue, as all constraints are conceptually simultaneously both alpha and beta at the same time. If a user writes a constraint, it gets stored at the current storage version, when constraints are read, they are read at the requested version.
However...
While verifying this, I found a separate issue. There is a bug in multi-version CRDs such that when:
- Admission Webhooks are enabled and registered (GK is an admission webhook)
- A cluster has a CR persisted in an old storage version
- A cluster upgrades the CRD and bumps the storage version
It is impossible to write a beta version to a resource persisted in alpha. The API server tries to do a (not-unstructured) scheme conversion and errors out. Fortunately it's possible to bump the storage version by writing an alpha version. I've added some code to do that on startup in pkg/upgrade.
There was a problem hiding this comment.
Posted bug to k8s repo:
…raints/templates Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
deploy/gatekeeper.yaml
Outdated
| subjects: | ||
| - kind: ServiceAccount | ||
| name: default | ||
| namespace: system |
There was a problem hiding this comment.
make deploy/kustomize updates the namespace value to gatekeeper-system. Is there a reason this was updated to system?
There was a problem hiding this comment.
Good catch.
For me, make deploy is leaving the namespace as system. I think this may have been a change in Kustomize behavior. I've amended the config so it writes gatekeeper-system.
Can you verify that when you run make manifests with the latest version of this change gatekeeper.yaml is unchanged for you?
There was a problem hiding this comment.
Running make manifests updates rbac_role_binding.yaml to namespace: system and deploy/gatekeeper.yaml to namespace: gatekeeper-system
There was a problem hiding this comment.
so the namespace correctly points to gatekeeper-system for you in gatekeeper.yaml?
There was a problem hiding this comment.
This is what I get for running kustomize from HEAD.
Should be fixed now.
Signed-off-by: Max Smythe <smythe@google.com>
Signed-off-by: Max Smythe <smythe@google.com>
|
Woohoo! Pushing. |
This also adds in auto-generation of the deploy/gatekeeper.yaml file.
Signed-off-by: Max Smythe smythe@google.com