chore: adding generateVAP field, removing annotations for vap (#3398)

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>

.github/workflows/workflow.yaml

@@ -67,7 +67,9 @@ jobs:
 
           make deploy \
             IMG=gatekeeper-e2e:latest \
-            USE_LOCAL_IMG=true
+            USE_LOCAL_IMG=true \
+            GENERATE_VAP=true \
+            GENERATE_VAPBINDING=true
 
           make test-e2e KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }} ENABLE_VAP_TESTS=1
 
@@ -110,7 +112,6 @@ jobs:
           make e2e-bootstrap
 
       - name: Run e2e
-        # TODO(ritazh): add helm chart values for vap feature before alpha release
         run: |
           make docker-buildx \
             IMG=gatekeeper-e2e:latest \
@@ -133,6 +134,8 @@ jobs:
             HELM_RELEASE=latest \
             HELM_VERSION=${{ matrix.HELM_VERSION }} \
             GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} \
+            GENERATE_VAP=true \
+            GENERATE_VAPBINDING=true \
             LOG_LEVEL=DEBUG
 
           make test-e2e \

Makefile

@@ -13,6 +13,8 @@ ENABLE_PUBSUB ?= false
 AUDIT_CONNECTION ?= "audit"
 AUDIT_CHANNEL ?= "audit"
 LOG_LEVEL ?= "INFO"
+GENERATE_VAP ?= false
+GENERATE_VAPBINDING ?= false
 
 VERSION := v3.17.0-beta.0
 
@@ -71,7 +73,8 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --disable-opa-builtin=http.send\
 \n        - --log-mutations\
 \n        - --mutation-annotations\
-\n        - --vap-enforcement=GATEKEEPER_DEFAULT\
+\n        - --default-create-vap-for-templates=${GENERATE_VAP}\
+\n        - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
 \n        - --experimental-enable-k8s-native-validation\
 \n---\
 \napiVersion: apps/v1\
@@ -93,7 +96,8 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --operation=mutation-status\
 \n        - --audit-chunk-size=500\
 \n        - --logtostderr\
-\n        - --vap-enforcement=GATEKEEPER_DEFAULT\
+\n        - --default-create-vap-for-templates=${GENERATE_VAP}\
+\n        - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
 \n        - --experimental-enable-k8s-native-validation\
 \n"
 
@@ -238,8 +242,9 @@ else
 		--set logMutations=true \
 		--set logLevel=${LOG_LEVEL} \
 		--set enableK8sNativeValidation=true \
-		--set vapEnforcement=GATEKEEPER_DEFAULT \
-		--set mutationAnnotations=true
+		--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
+		--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
+		--set mutationAnnotations=true;
 endif
 
 e2e-helm-upgrade-init: e2e-helm-install
@@ -279,7 +284,8 @@ e2e-helm-upgrade:
 		--set logMutations=true \
 		--set logLevel=${LOG_LEVEL} \
 		--set enableK8sNativeValidation=true \
-		--set vapEnforcement=GATEKEEPER_DEFAULT \
+		--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
+		--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
 		--set mutationAnnotations=true;\
 
 e2e-subscriber-build-load-image:

cmd/build/helmify/kustomize-for-helm.yaml

@@ -94,7 +94,8 @@ spec:
             - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
             - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
             - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
-            - --vap-enforcement={{ .Values.vapEnforcement }}
+            - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
+            - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
             - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION
             - HELMSUBST_METRICS_BACKEND_ARG
             - HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG
@@ -185,7 +186,8 @@ spec:
             - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
             - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
             - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
-            - --vap-enforcement={{ .Values.vapEnforcement }}
+            - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
+            - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""
           ports:

cmd/build/helmify/static/README.md

@@ -165,8 +165,9 @@ information._
 | mutatingWebhookURL                                         | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used.                                                                                                                              | `null`                                                                                                                                                                |
 | emitAdmissionEvents                                        | Emit K8s events in configurable namespace for admission violations (alpha feature)                                                                                                                                                                                                             | `false`                                                                                                                                                               |
 | emitAuditEvents                                            | Emit K8s events in configurable namespace for audit violations (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
-| enableK8sNativeValidation                                   | Enable the K8s Native Validating driver to create CEL-based rules  (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
-| vapEnforcement                                              | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.  (alpha feature)                                                                                                                                                                                                                 | `GATEKEEPER_DEFAULT`                                                                                                                                                               |
+| enableK8sNativeValidation                                  | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
+| defaultCreateVAPForTemplates                                      | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
+| defaultCreateVAPBindingForConstraints                             | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
 | auditEventsInvolvedNamespace                               | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in         | `false`                                                                                                                                                               |
 | admissionEventsInvolvedNamespace                           | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false`                                                                                                                                                               |
 | logDenies                                                  | Log detailed info on each deny                                                                                                                                                                                                                                                                 | `false`                                                                                                                                                               |

cmd/build/helmify/static/values.yaml

@@ -45,7 +45,8 @@ auditEventsInvolvedNamespace: false
 resourceQuota: true
 externaldataProviderResponseCacheTTL: 3m
 enableK8sNativeValidation: false
-vapEnforcement: GATEKEEPER_DEFAULT
+defaultCreateVAPForTemplates: false
+defaultCreateVAPBindingForConstraints: false
 image:
   repository: openpolicyagent/gatekeeper
   crdRepository: openpolicyagent/gatekeeper-crds

go.mod

@@ -15,7 +15,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/onsi/gomega v1.33.1
 	github.com/open-policy-agent/cert-controller v0.10.1
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20240524210416-5368a3b697f2
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20240703202613-6687ba5fafc8
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.19.1
 	github.com/spf13/cobra v1.8.1

go.sum

@@ -287,8 +287,8 @@ github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
 github.com/open-policy-agent/cert-controller v0.10.1 h1:RXSYoyn8FdCenWecRP//UV5nbVfmstNpj4kHQFkvPK4=
 github.com/open-policy-agent/cert-controller v0.10.1/go.mod h1:4uRbBLY5DsPOog+a9pqk3JLxuuhrWsbUedQW65HcLTI=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20240524210416-5368a3b697f2 h1:zalTQAmgeS+PYcEFeDG0/iWaZyNseXdeBYxpOSR0+zE=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20240524210416-5368a3b697f2/go.mod h1:oXEqMRD8wI59XYd1xpkg47RTdLACMPMX7XbKXXhIJZg=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20240703202613-6687ba5fafc8 h1:GqwFyBjq31c+QBsneTceF4yM7P3FKj4GSkIXdeXdbKU=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20240703202613-6687ba5fafc8/go.mod h1:5QVgZkIf934jEqGwfBUNn0GQ9sBmOfUTF2yrKdKiZuY=
 github.com/open-policy-agent/opa v0.64.1 h1:n8IJTYlFWzqiOYx+JiawbErVxiqAyXohovcZxYbskxQ=
 github.com/open-policy-agent/opa v0.64.1/go.mod h1:j4VeLorVpKipnkQ2TDjWshEuV3cvP/rHzQhYaraUXZY=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

main.go

@@ -46,7 +46,6 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/cachemanager"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/controller"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constraint"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/externaldata"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/metrics"
@@ -117,7 +116,6 @@ var (
 	disabledBuiltins                     = util.NewFlagSet()
 	enableK8sCel                         = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver")
 	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
-	deferAdmissionToVAP                           = flag.Bool("defer-admission-to-vap", false, "When set to false, Gatekeeper webhook can act as a fallback in case K8s' Validating Admission Policy fails.  When set to true, Gatekeeper validating webhook will not evaluate a policy for an admission request it expects vap to enforce. May improve resource usage at the cost of race conditions detecting whether VAP enforcement is in effect. This does not impact audit results. Defaults to false.")
 )
 
 func init() {
@@ -134,7 +132,6 @@ func init() {
 
 	// +kubebuilder:scaffold:scheme
 	flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.")
-	flag.Var(&constraint.VapEnforcement, "vap-enforcement", "control VAP resource generation. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.")
 }
 
 func main() {
@@ -414,17 +411,7 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle
 	cfArgs := []constraintclient.Opt{constraintclient.Targets(&target.K8sValidationTarget{})}
 
 	if *enableK8sCel {
-		// initialize K8sValidation
-		var k8scelArgs []k8scel.Arg
-		if *deferAdmissionToVAP && constraint.VapEnforcement != constraint.VapFlagNone {
-			switch constraint.VapEnforcement {
-			case constraint.VapFlagGatekeeperDefault:
-				k8scelArgs = append(k8scelArgs, k8scel.VAPGenerationDefault(k8scel.VAPDefaultNo))
-			case constraint.VapFlagVapDefault:
-				k8scelArgs = append(k8scelArgs, k8scel.VAPGenerationDefault(k8scel.VAPDefaultYes))
-			}
-		}
-		k8sDriver, err := k8scel.New(k8scelArgs...)
+		k8sDriver, err := k8scel.New()
 		if err != nil {
 			setupLog.Error(err, "unable to set up K8s native driver")
 			return err