Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert to using beta resources. #190

Merged
merged 10 commits into from
Jul 25, 2019
Merged

Convert to using beta resources. #190

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f591f52
Convert to using beta resources.
maxsmythe Jul 22, 2019
b4b3bec
Install kustomize in test container
maxsmythe Jul 22, 2019
e56d41c
Add upgrade subprocess to force an upgraded storage version for const…
maxsmythe Jul 23, 2019
8eb864f
Fix comments
maxsmythe Jul 23, 2019
58c54e9
Add conrol-plane label to gatekeeper-system
maxsmythe Jul 23, 2019
b7d4879
Add a comment on when we might remove the upgrade subprocess
maxsmythe Jul 23, 2019
d9c0bd3
Move kustomization file around
maxsmythe Jul 24, 2019
0699d8d
Ignore resource does not exist errors when upgrading
maxsmythe Jul 24, 2019
2ef19ba
Update serviceaccount namespace for manager-rolebinding
maxsmythe Jul 24, 2019
7d6c672
Fix namespace for rolebinding
maxsmythe Jul 25, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ bin
*.out

# Manager image patch file
config/manager_image_patch.yaml
config/overlays/dev/manager_image_patch.yaml
maxsmythe marked this conversation as resolved.
Show resolved Hide resolved

# Kubernetes Generated files - skip generated files, except for vendored files

Expand Down
9 changes: 7 additions & 2 deletions Gopkg.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 8 additions & 6 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,14 +62,16 @@ install: manifests

# Deploy controller in the configured Kubernetes cluster in ~/.kube/config
deploy: manifests
touch -a ./config/manager_image_patch.yaml
touch -a ./overlays/dev/manager_image_patch.yaml
kubectl apply -f config/crds
kubectl apply -f vendor/github.com/open-policy-agent/frameworks/constraint/config/crds
kustomize build config | kubectl apply -f -
kubectl apply -f vendor/github.com/open-policy-agent/frameworks/constraint/deploy
kustomize build overlays/dev | kubectl apply -f -

# Generate manifests e.g. CRD, RBAC etc.
manifests:
go run vendor/sigs.k8s.io/controller-tools/cmd/controller-gen/main.go all
kustomize build config -o deploy/gatekeeper.yaml
bash -c 'for x in vendor/github.com/open-policy-agent/frameworks/constraint/deploy/*.yaml ; do echo --- >> deploy/gatekeeper.yaml ; cat $${x} >> deploy/gatekeeper.yaml ; done'

# Run go fmt against code
fmt:
Expand All @@ -94,7 +96,7 @@ docker-tag-dev:
# Tag for Dev
docker-tag-release:
@docker tag $(IMG) $(REPOSITORY):$(VERSION)
@docker tag $(IMG) $(REPOSITORY):latest
@docker tag $(IMG) $(REPOSITORY):latest

# Push for Dev
docker-push-dev: docker-tag-dev
Expand All @@ -110,9 +112,9 @@ docker-build:
docker build . -t ${IMG}
@echo "updating kustomize image patch file for manager resource"

@test -s ./config/manager_image_patch.yaml || bash -c 'echo -e ${MANAGER_IMAGE_PATCH} > ./config/manager_image_patch.yaml'
@test -s ./overlays/dev/manager_image_patch.yaml || bash -c 'echo -e ${MANAGER_IMAGE_PATCH} > ./overlays/dev/manager_image_patch.yaml'

@sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml
@sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./overlays/dev/manager_image_patch.yaml

docker-build-ci:
docker build . -t $(IMG) -f Dockerfile_ci
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ spec:

violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
Expand Down
7 changes: 7 additions & 0 deletions cmd/manager/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local"
"github.com/open-policy-agent/gatekeeper/pkg/apis"
"github.com/open-policy-agent/gatekeeper/pkg/audit"
"github.com/open-policy-agent/gatekeeper/pkg/upgrade"
"github.com/open-policy-agent/gatekeeper/pkg/controller"
"github.com/open-policy-agent/gatekeeper/pkg/target"
"github.com/open-policy-agent/gatekeeper/pkg/webhook"
Expand Down Expand Up @@ -95,6 +96,12 @@ func main() {
os.Exit(1)
}

log.Info("setting up upgrade")
if err := upgrade.AddToManager(mgr); err != nil {
log.Error(err, "unable to register upgrade to the manager")
os.Exit(1)
}

// Start the Cmd
log.Info("Starting the Cmd.")
if err := mgr.Start(signals.SetupSignalHandler()); err != nil {
Expand Down
4 changes: 1 addition & 3 deletions config/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,7 @@ resources:
- rbac/rbac_role.yaml
- rbac/rbac_role_binding.yaml
- manager/manager.yaml

patches:
- manager_image_patch.yaml
- crds/config_v1alpha1_config.yaml

vars:
- name: WEBHOOK_SECRET_NAME
Expand Down
9 changes: 6 additions & 3 deletions config/manager/manager.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: v1
kind: Namespace
metadata:
labels:
control-plane: controller-manager
controller-tools.k8s.io: "1.0"
name: system
---
Expand Down Expand Up @@ -43,17 +44,19 @@ spec:
containers:
- command:
- /root/manager
# args:
args:
- "--auditInterval=30"
# - "--alsologtostderr"
# - "--stderrthreshold=INFO"
# - "-v=100"
image: controller:latest
image: quay.io/open-policy-agent/gatekeeper:v3.0.4-alpha.0
ritazh marked this conversation as resolved.
Show resolved Hide resolved
imagePullPolicy: Always
name: manager
ritazh marked this conversation as resolved.
Show resolved Hide resolved
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
Expand All @@ -69,7 +72,7 @@ spec:
cpu: 100m
memory: 256Mi
ports:
- containerPort: 9876
- containerPort: 443
name: webhook-server
protocol: TCP
volumeMounts:
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/constraints/containers_must_be_limited.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/constraints/owner_must_be_provided.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/constraints/prod_repo_is_openpolicyagent.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedRepos
metadata:
name: prod-repo-is-openpolicyagent
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/constraints/unique_service_selector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueServiceSelector
metadata:
name: unique-service-selector
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/remediation/ban_latest_tag.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBannedImageTags
metadata:
name: ban-latest-tag
Expand Down
2 changes: 1 addition & 1 deletion demo/agilebank/remediation/k8sbannedimagetags_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sbannedimagetags
Expand Down
6 changes: 3 additions & 3 deletions demo/agilebank/templates/k8sallowedrepos_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
Expand All @@ -25,7 +25,7 @@ spec:

violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.constraint.spec.parameters.repos[_] ; good = startswith(container.image, repo)]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.constraint.spec.parameters.repos])
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
6 changes: 3 additions & 3 deletions demo/agilebank/templates/k8scontainterlimits_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8scontainerlimits
Expand Down Expand Up @@ -166,7 +166,7 @@ spec:
container := input.review.object.spec.containers[_]
cpu_orig := container.resources.limits.cpu
cpu := canonify_cpu(cpu_orig)
max_cpu_orig := input.constraint.spec.parameters.cpu
max_cpu_orig := input.parameters.cpu
max_cpu := canonify_cpu(max_cpu_orig)
cpu > max_cpu
msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])
Expand All @@ -176,7 +176,7 @@ spec:
container := input.review.object.spec.containers[_]
mem_orig := container.resources.limits.memory
mem := canonify_mem(mem_orig)
max_mem_orig := input.constraint.spec.parameters.memory
max_mem_orig := input.parameters.memory
max_mem := canonify_mem(max_mem_orig)
mem > max_mem
msg := sprintf("container <%v> memory limit <%v> is higher than the maximum allowed of <%v>", [container.name, mem_orig, max_mem_orig])
Expand Down
18 changes: 9 additions & 9 deletions demo/agilebank/templates/k8srequiredlabels_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
Expand Down Expand Up @@ -30,31 +30,31 @@ spec:
rego: |
package k8srequiredlabels

get_message(constraint, _default) = msg {
not constraint.spec.parameters.message
get_message(parameters, _default) = msg {
not parameters.message
msg := _default
}

get_message(constraint, _default) = msg {
msg := constraint.spec.parameters.message
get_message(parameters, _default) = msg {
msg := parameters.message
}

violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_].key}
required := {label | label := input.parameters.labels[_].key}
missing := required - provided
count(missing) > 0
def_msg := sprintf("you must provide labels: %v", [missing])
msg := get_message(input.constraint, def_msg)
msg := get_message(input.parameters, def_msg)
}

violation[{"msg": msg}] {
value := input.review.object.metadata.labels[key]
expected := input.constraint.spec.parameters.labels[_]
expected := input.parameters.labels[_]
expected.key == key
# do not match if allowedRegex is not defined, or is an empty string
expected.allowedRegex != ""
not re_match(expected.allowedRegex, value)
def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex])
msg := get_message(input.constraint, def_msg)
msg := get_message(input.parameters, def_msg)
}
2 changes: 1 addition & 1 deletion demo/agilebank/templates/k8suniqueserviceselector_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8suniqueserviceselector
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/bad/bad_constraint_labelselector.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueLabel
metadata:
name: ns-gk-label-unique
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/bad/bad_schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabel
metadata:
name: bad-schema
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/bad/bad_schema2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabel
metadata:
name: bad-schema
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/bad/bad_schema3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabel
metadata:
name: bad-schema
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/bad/bad_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8suniquelabels
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/constraints/all_ns_gatekeeper_label_unique.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sUniqueLabel
metadata:
name: ns-gk-label-unique
Expand Down
2 changes: 1 addition & 1 deletion demo/basic/constraints/all_ns_must_have_gatekeeper.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: constraints.gatekeeper.sh/v1alpha1
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
Expand Down
4 changes: 2 additions & 2 deletions demo/basic/demo.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ pe "cat good/good_ns.yaml"

pe "kubectl apply -f good/good_ns.yaml"

pe "cat templates/k8suniquelabels_template.yaml"
pe "cat templates/k8suniquelabel_template.yaml"

pe "kubectl apply -f templates/k8suniquelabels_template.yaml"
pe "kubectl apply -f templates/k8suniquelabel_template.yaml"

pe "kubectl apply -f constraints/all_ns_gatekeeper_label_unique.yaml"

Expand Down
4 changes: 2 additions & 2 deletions demo/basic/templates/k8srequiredlabels_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
Expand All @@ -24,7 +24,7 @@ spec:

violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
Expand Down
4 changes: 2 additions & 2 deletions demo/basic/templates/k8srequiredlabels_template_external_data.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
Expand All @@ -24,7 +24,7 @@ spec:

violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.constraint.spec.parameters.labels[_]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
ns := [n | data.inventory.cluster.v1.Namespace[n]]
Expand Down
4 changes: 2 additions & 2 deletions demo/basic/templates/k8suniquelabel_template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
apiVersion: templates.gatekeeper.sh/v1alpha1
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8suniquelabel
Expand Down Expand Up @@ -47,7 +47,7 @@ spec:
}

violation[{"msg": msg, "details": {"value": val, "label": label}}] {
label := input.constraint.spec.parameters.label
label := input.parameters.label
val := input.review.object.metadata.labels[label]
cluster_objs := [o | o = data.inventory.cluster[_][_][_]; not identical_cluster(o, input.review)]
ns_objs := [o | o = data.inventory.namespace[_][_][_][_]; not identical_namespace(o, input.review)]
Expand Down
Loading