Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policies #367

Merged
merged 1 commit into from
Dec 23, 2020
Merged

Policies #367

merged 1 commit into from
Dec 23, 2020

Conversation

ChiaraOggeri
Copy link
Contributor

Description

Created a policies folder that contains a OPA policy to verify the correct creation (or update) of a new instance.
In particular it checks if the instance referres to an existing template in the correct namespace.
Fixes # (issue)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also note any relevant details for your test configuration.

  • Test A
  • Test B

@kingmakerbot
Copy link
Collaborator

Hi @ChiaraOggeri. Thanks for your PR.

I am @kingmakerbot.
You can interact with me issuing a slash command in the first line of a comment.
Currently, I understand the following commands:

  • /rebase: Rebase this PR onto the master branch
  • /merge: Merge this PR into the master branch
  • /deploy-staging: Deploy a staging environment to test this PR
  • /undeploy-staging: Manually undeploy the staging environment

Make sure this PR appears in the CrownLabs changelog, adding one of the following labels:

  • kind/breaking: 💥 Breaking Change
  • kind/feature: 🚀 New Feature
  • kind/bug: 🐛 Bug Fix
  • kind/cleanup: 🧹 Code Refactoring
  • kind/docs: 📝 Documentation

@pull-request-size pull-request-size bot added size/M and removed size/L labels Dec 7, 2020
@pull-request-size pull-request-size bot added size/L and removed size/M labels Dec 14, 2020
@giorio94 giorio94 added the kind/feature New feature or request label Dec 15, 2020
giorio94
giorio94 reviewed Dec 15, 2020
View reviewed changes
Copy link
Member

@giorio94 giorio94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First of all, thanks @ChiaraOggeri and @sofymunari for this. Looks very interesting to me.

A couple of generic comments (don't know if this PR is already ready for review or not):

  • Please, use opa fmt to format the rego files.
  • The rego policy is replicated both in its own file (for testing) and in the gatekeeper constraint. This will soon lead to inconsistencies, since one file is updated and the other not. I would suggest trying to use konstraint to generate the gatekeeper constraints from the base rego policies.

policies/verify-instances-templates-reference/test/rego-rule.rego Outdated Show resolved Hide resolved
policies/verify-instances-templates-reference/constraintTemplate.yaml Outdated
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: crownlabsconstraint
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
name: crownlabsconstraint
name: crownlabs-instance-template-reference

I would suggest the same for the CRD name (in the correct case)

@ChiaraOggeri ChiaraOggeri force-pushed the policies branch 5 times, most recently from 0a22870 to 7e2d3aa Compare December 20, 2020 08:27
giorio94
giorio94 reviewed Dec 22, 2020
View reviewed changes
Copy link
Member

@giorio94 giorio94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks in a pretty good shape. A couple of minor additional comments inline.

I just have some concerns about the new policy, but I still have to understand which would be the best solution from the design point of view. We can discuss about that on slack

.github/workflows/test.yml Outdated
@@ -1,6 +1,6 @@
name: Code testing
on:
pull_request_target:
pull_request:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to avoid forgetting, this has to be reverted before merging

policies/verify-instances-templates-reference/README.md Show resolved Hide resolved
policies/verify-instances-templates-reference/policies/rego_rule.rego Outdated

# @title crownlabs verify instance template reference

package crownlabsinstancetemplatereference
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
package crownlabsinstancetemplatereference
package crownlabs_instance_template_reference

I feel it clearer, in case this modification is possible

policies/verify-tenant-patch/policies/rego_rule.rego Outdated

# @title crownlabs verify tenant patch

package crownlabstenantconstraint
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
package crownlabstenantconstraint
package crownlabs_tenant_constraint

As before

policies/verify-instances-templates-reference/policies/rego_rule.rego Outdated
msg := sprintf("Namespace %v doesn't contain any template", [ns])
}

violation[{"msg": msg, "details": {"missing_tempalte": [missing]}}] {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
violation[{"msg": msg, "details": {"missing_tempalte": [missing]}}] {
violation[{"msg": msg, "details": {"missing_template": [missing]}}] {

policies/verify-tenant-patch/policies/rego_rule_test.rego Outdated
Comment on lines 72 to 87
"managedFields": [
{
"operation": "Update",
"time": "2020-12-20T11:14:59Z",
"apiVersion": "crownlabs.polito.it/v1alpha1",
"fieldsType": "FieldsV1",
"fieldsV1": {"f:spec": {".": {}, "f:ID": {}, "f:createSandbox": {}, "f:name": {}, "f:publicKeys": {}, "f:surname": {}, "f:workspaces": {}}}, "manager": "kubectl-create",
},
{
"fieldsType": "FieldsV1", "fieldsV1": {"f:spec": {"f:email": {}}},
"manager": "kubectl-patch",
"operation": "Update",
"time": "2020-12-20T11:30:12Z",
"apiVersion": "crownlabs.polito.it/v1alpha1",
},
],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can drop the managedFields, to shorten this file. The same for all occurrences

policies/verify-instances-templates-reference/README.md Outdated
## TESTS
Tests are available in folder [policies](./policies).

## HOW TO RUN
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## HOW TO RUN
## HOW TO DEPLOY

@ChiaraOggeri ChiaraOggeri force-pushed the policies branch 3 times, most recently from fc29a21 to a0d2eb4 Compare December 23, 2020 17:54
@ChiaraOggeri @sofymunari
Create OPA policies and tests run on pipeline
f0c2875 
Co-authored-by: Sofia Munari <sofymunari@gmail.com>
@ChiaraOggeri ChiaraOggeri marked this pull request as ready for review December 23, 2020 18:18
@giorio94
Copy link
Member

/merge

@kingmakerbot kingmakerbot merged commit b389156 into netgroup-polito:master Dec 23, 2020
@kingmakerbot
Copy link
Collaborator

Your staging environment has been correctly teared-down!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giorio94 giorio94 giorio94 approved these changes

@palexster palexster palexster approved these changes

Assignees
No one assigned
Labels
kind/feature New feature or request sig/devops sig/operations size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ChiaraOggeri @kingmakerbot @giorio94 @palexster