Skip to content

Release v1.6.0
Compare
Choose a tag to compare
@SIGHUP-C-3PO SIGHUP-C-3PO released this 17 Jan 19:45
v1.6.0
f42bcd6

❌ This release contains issues, please use the version v1.6.2 instead ❌

OPA Core Module Release 1.6.0

Welcome to the latest release of OPA module of Kubernetes Fury Distribution maintained by team
SIGHUP.

This latest release is an attempt on upgrading the components in the module to
its latest stable release along with adding the tech preview of the latest
kubernetes release v1.23.0.

Component Images 🚢

Component Supported Version Previous Version
gatekeeper v3.7.0 v3.6.0
gatekeeper-policy-manager v0.5.1 v0.5.0

Please refer the individual release notes to get a detailed info on the
releases. Eventhough gatekeeper v3.7.0 has no breaking changes, it is worth having a look.

Known Issues ⚠️

  • This release involves recreation of certain resources like daemonset, deployments, etc. We recommend deleting it with --cascade=orphan, to avoid changes being made to the pods.
  • We drop support of Kubernetes versions <= v1.19.x

Breaking Changes 💔

  • #40 Added Kubernetes labels to all the components of the module: Since labels are immutable fields in deployments, daemonsets, etc., this change requires a recreation of those resources.

Features 💥

  • #35 Protecting namespaces from accidental deletion (optional)

    • We added a Constraint Template and a Constraint to protect namespaces for being deleted. If you want to avoid accidental deletion of a namespace, you shuold add the following annotation to your namespace

      annotations:
opa.sighup.io/indelible-ns: "yes"

      And to set the namespace as deletable use the annotation:

      annotations:
opa.sighup.io/indelible-ns: "no"

      If you don't put any annotation, the default is to protect the namespace.

      This feature is provded as optional, to enable it there are two steps to follow:

      1. Deploy the Constraint by removing the comment in the following line of the kustomization.yaml
      2. Gatekeeper needs to watch also for DELETE events as well. Please notice that if this is enabled and you have custom constraints you have to consider in them that they will be evaluated also for DELETE events, for example you can use the follow rego code to discard the DELETE operations:
      operation := input.review.operation
any([ operation == "CREATE", operation == "UPDATE" ])
operation != "DELETE"

      To enable the watching of DELETE events (needed by the namespace protection rule) you have to remove the comment in the lines 37 and 62 in file vwh.yml

  • #40 Added e2e-test support for k8s runtime 1.23
  • #40 Added Makefile, JSON builder and .bumpversion config to the module
  • #41 Upgrade gatekeeper image to v3.7.0
  • #42 Add k8s 1.23 e2e-testing support for OPA module
  • #43 update Gatekeeper Policy Manager to v0.5.1

Update Guide 🦮

Warnings

  • Since the release ships changes to some immutable fields, if deployments and daemonsets, are not deleted first before applying the module, it will error out.
  • The protected namespace Constraint Template implies the DELETE events filtering by Gatekeeper, this will increase the number of request that Gatekeeper will need to process. Please check that Gatekeeper's resources are set accordingly if you decide to use this new feature.

Process

To upgrade this core module from v1.11.x to v1.12.0, you need to download this new version, then apply the kustomize project.

kubectl -n gatekeeper-system delete deployment.apps/gatekeeper-audit deployment.apps/gatekeeper-controller-manager deployment.apps/gatekeeper-policy-manager --cascade=orphan # This delete deployments, ds, etc. so the newly added labels can be applied
kustomize build katalog/gatekeeper | kubectl apply -f- --force
Assets 6