Merge branch 'master' into e2e-matrix

open-policy-agent · Apr 29, 2021 · bbd91d6 · bbd91d6
2 parents b8f5c7b + fc67ca8
commit bbd91d6
Show file tree

Hide file tree

Showing 34 changed files with 191 additions and 314 deletions.
diff --git a/Makefile b/Makefile
@@ -45,6 +45,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
 \n        - --emit-admission-events\
 \n        - --exempt-namespace=${GATEKEEPER_NAMESPACE}\
 \n        - --operation=webhook\
+\n        - --disable-opa-builtin=http.send\
 \n---\
 \napiVersion: apps/v1\
 \nkind: Deployment\
@@ -128,7 +129,8 @@ e2e-helm-deploy: e2e-helm-install
 	--set image.release=${HELM_RELEASE} \
 	--set emitAdmissionEvents=true \
 	--set emitAuditEvents=true \
-	--set postInstall.labelNamespace.enabled=true;\
+	--set postInstall.labelNamespace.enabled=true \
+	--set disabledBuiltins={http.send};\
 
 e2e-helm-upgrade-init: e2e-helm-install
 		./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\
@@ -143,7 +145,8 @@ e2e-helm-upgrade:
 		--set image.repository=${HELM_REPO} \
 		--set image.release=${HELM_RELEASE} \
 		--set emitAdmissionEvents=true \
-		--set emitAuditEvents=true;\
+		--set emitAuditEvents=true \
+		--set disabledBuiltins={http.send};\
 
 # Build manager binary
 manager: generate

diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml
@@ -69,6 +69,7 @@ spec:
             - --exempt-namespace={{ .Release.Namespace }}
             - --operation=webhook
             - --enable-mutation={{ .Values.experimentalEnableMutation}}
+            - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN
           imagePullPolicy: "{{ .Values.image.pullPolicy }}"
           image: "{{ .Values.image.repository }}:{{ .Values.image.release }}"
           resources:
@@ -82,6 +83,7 @@ spec:
       imagePullSecrets:
         HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK
+      priorityClassName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -120,6 +122,7 @@ spec:
       imagePullSecrets:
         HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: ""
       hostNetwork: HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK
+      priorityClassName: HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME
 ---
 apiVersion: v1
 kind: Secret

diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go
@@ -17,6 +17,8 @@ var replacements = map[string]string{
 
 	`HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: ""`: `{{- toYaml .Values.image.pullSecrets | nindent 8 }}`,
 
+	"HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME": `{{ .Values.audit.priorityClassName }}`,
+
 	`HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_NODE_SELECTOR: ""`: `{{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}`,
 
 	`HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.controllerManager.affinity | nindent 8 }}`,
@@ -25,6 +27,8 @@ var replacements = map[string]string{
 
 	`HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""`: `{{- toYaml .Values.image.pullSecrets | nindent 8 }}`,
 
+	"HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME": `{{ .Values.controllerManager.priorityClassName }}`,
+
 	"HELMSUBST_DEPLOYMENT_REPLICAS": `{{ .Values.replicas }}`,
 
 	`HELMSUBST_ANNOTATIONS: ""`: `{{- toYaml .Values.podAnnotations | trim | nindent 8 }}`,
@@ -48,4 +52,8 @@ var replacements = map[string]string{
   loadBalancerIP: {{ .Values.service.loadBalancerIP }}
     {{- end }}
   {{- end }}`,
+	"- HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN": `
+        {{- range .Values.disabledBuiltins}}
+        - --disable-opa-builtin={{ . }}
+        {{- end }}`,
 }
diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md
@@ -106,7 +106,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 
 This Helm chart is autogenerated from the Gatekeeper static manifest. The
 generator code lives under `cmd/build/helmify`. To make modifications to this
-template, please edit `kustomization.yaml` and `replacements.go` under that
-directory and then run `make manifests`. Your changes will show up in the
-`manifest_staging` directory and will be promoted to the root `charts` directory
-the next time a Gatekeeper release is cut.
+template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and
+`replacements.go` under that directory and then run `make manifests`. Your
+changes will show up in the `manifest_staging` directory and will be promoted
+to the root `charts` directory the next time a Gatekeeper release is cut.
diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml
@@ -26,6 +26,8 @@ spec:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
       serviceAccount: gatekeeper-update-namespace-label
+      nodeSelector:
+        kubernetes.io/os: linux
       containers:
         - name: kubectl-label
           image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"

diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml
@@ -70,3 +70,4 @@ pdb:
   controllerManager:
     minAvailable: 1
 service: {}
+disabledBuiltins:
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -97,6 +97,7 @@ spec:
       terminationGracePeriodSeconds: 60
       nodeSelector:
         kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -176,3 +177,4 @@ spec:
       terminationGracePeriodSeconds: 60
       nodeSelector:
         kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
diff --git a/docs/design/README.md b/docs/design/README.md
@@ -16,6 +16,7 @@ Generally, design docs are on Google docs:
    * [Mutation Revised Design Doc (June 2019)](https://docs.google.com/document/d/1G7WgZKx1Y3VOTUjrqn7DjDaZgSKCIZowILm_I6psrw0/edit#heading=h.mtvdjag5uj9)
    * [Mutation Initial Design Doc (April 2019)](https://docs.google.com/document/d/1qTHwqoUX8AL2jodyWKB_2szrGDwhi14Ra_LlQ-ogtck/edit#heading=h.iu1ppjy7g7j)
 * [External Data](https://docs.google.com/document/d/1hPi86jdsCKg8puYT5_s_73mPGExUJeZfyKmvG-XWtPc/edit#)
+* [Gatekeeper v1beta1 CRD Deprecation](https://docs.google.com/document/d/12TD9vk79X3y0RgNxURamW4tQOyd6YjA6WrwDAqcplwg/edit#)
 
 ## Implemented
 * [V3 Accepted Design](https://docs.google.com/document/d/1yC4wgpVoJj6ngYnSTtO-HeaIBl05gla562sD7qKPy3M/edit#heading=h.z0bjqzl81dpe)

diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/onsi/ginkgo v1.14.1
 	github.com/onsi/gomega v1.10.2
 	github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c47
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f
 	github.com/open-policy-agent/opa v0.24.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1

diff --git a/go.sum b/go.sum
@@ -480,6 +480,8 @@ github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c4
 github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c47/go.mod h1:vZFB1b92JmUOIDEWHGO/lCnrKqrCQA5jCZkwPlF2nmc=
 github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c h1:ArW4LOS0LuB9u+oyiYHNoKXjZvW4pP8jh5ty/8szIz4=
 github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c/go.mod h1:vvhkBONv7Uah2fvS/bQ/N1u0rSLvxZOs2ErR6m+4QtQ=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f h1:oEq3M/aUJbcx9LVuL+UQXhOl3xDwhbNB7WFQtWZdh4o=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f/go.mod h1:vvhkBONv7Uah2fvS/bQ/N1u0rSLvxZOs2ErR6m+4QtQ=
 github.com/open-policy-agent/opa v0.24.0 h1:fnGOIux+TTGZsC0du1bRBtV8F+KPN55Hks12uE3Fq3E=
 github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=

diff --git a/main.go b/main.go
@@ -99,6 +99,7 @@ var (
 	disableCertRotation = flag.Bool("disable-cert-rotation", false, "disable automatic generation and rotation of webhook TLS certificates/keys")
 	enableProfile       = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort         = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified")
+	disabledBuiltins    = util.NewFlagSet()
 )
 
 func init() {
@@ -110,6 +111,7 @@ func init() {
 	_ = statusv1beta1.AddToScheme(scheme)
 	_ = mutationsv1alpha1.AddToScheme(scheme)
 	// +kubebuilder:scaffold:scheme
+	flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.")
 }
 
 func main() {
@@ -236,7 +238,7 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea
 	<-setupFinished
 
 	// initialize OPA
-	driver := local.New(local.Tracing(false))
+	driver := local.New(local.Tracing(false), local.DisableBuiltins(disabledBuiltins.ToSlice()...))
 	backend, err := opa.NewBackend(opa.Driver(driver))
 	if err != nil {
 		setupLog.Error(err, "unable to set up OPA backend")

diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md
@@ -106,7 +106,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 
 This Helm chart is autogenerated from the Gatekeeper static manifest. The
 generator code lives under `cmd/build/helmify`. To make modifications to this
-template, please edit `kustomization.yaml` and `replacements.go` under that
-directory and then run `make manifests`. Your changes will show up in the
-`manifest_staging` directory and will be promoted to the root `charts` directory
-the next time a Gatekeeper release is cut.
+template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and
+`replacements.go` under that directory and then run `make manifests`. Your
+changes will show up in the `manifest_staging` directory and will be promoted
+to the root `charts` directory the next time a Gatekeeper release is cut.
diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
@@ -97,6 +97,7 @@ spec:
         {{- toYaml .Values.image.pullSecrets | nindent 8 }}
       nodeSelector:
         {{- toYaml .Values.audit.nodeSelector | nindent 8 }}
+      priorityClassName: {{ .Values.audit.priorityClassName }}
       serviceAccountName: gatekeeper-admin
       terminationGracePeriodSeconds: 60
       tolerations:

diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml
@@ -49,6 +49,10 @@ spec:
         - --exempt-namespace={{ .Release.Namespace }}
         - --operation=webhook
         - --enable-mutation={{ .Values.experimentalEnableMutation}}
+
+        {{- range .Values.disabledBuiltins}}
+        - --disable-opa-builtin={{ . }}
+        {{- end }}
         command:
         - /manager
         env:
@@ -102,6 +106,7 @@ spec:
         {{- toYaml .Values.image.pullSecrets | nindent 8 }}
       nodeSelector:
         {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}
+      priorityClassName: {{ .Values.controllerManager.priorityClassName }}
       serviceAccountName: gatekeeper-admin
       terminationGracePeriodSeconds: 60
       tolerations:

diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml
@@ -26,6 +26,8 @@ spec:
       {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }}
       {{- end }}
       serviceAccount: gatekeeper-update-namespace-label
+      nodeSelector:
+        kubernetes.io/os: linux
       containers:
         - name: kubectl-label
           image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"

diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml
@@ -70,3 +70,4 @@ pdb:
   controllerManager:
     minAvailable: 1
 service: {}
+disabledBuiltins:
diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml
@@ -711,6 +711,7 @@ spec:
           runAsUser: 1000
       nodeSelector:
         kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
       serviceAccountName: gatekeeper-admin
       terminationGracePeriodSeconds: 60
 ---
@@ -813,6 +814,7 @@ spec:
           readOnly: true
       nodeSelector:
         kubernetes.io/os: linux
+      priorityClassName: system-cluster-critical
       serviceAccountName: gatekeeper-admin
       terminationGracePeriodSeconds: 60
       volumes:

diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go
@@ -323,8 +323,8 @@ violation[{"msg": "denied!"}] {
 				return err
 			}
 			if ct.Name == "invalidrego" {
-				status := getCTByPodStatus(ct)
-				if status == nil {
+				status, found := getCTByPodStatus(ct)
+				if !found {
 					return fmt.Errorf("could not retrieve CT status for pod, byPod status: %+v", ct.Status.ByPod)
 				}
 				if len(status.Errors) == 0 {
@@ -537,16 +537,14 @@ func newDenyAllCstr() *unstructured.Unstructured {
 	return cstr
 }
 
-func getCTByPodStatus(templ *v1beta1.ConstraintTemplate) *v1beta1.ByPodStatus {
+func getCTByPodStatus(templ *v1beta1.ConstraintTemplate) (v1beta1.ByPodStatus, bool) {
 	statuses := templ.Status.ByPod
-	var status *v1beta1.ByPodStatus
 	for _, s := range statuses {
 		if s.ID == util.GetID() {
-			status = s
-			break
+			return s, true
 		}
 	}
-	return status
+	return v1beta1.ByPodStatus{}, false
 }
 
 func getCByPodStatus(obj *unstructured.Unstructured) (*statusv1beta1.ConstraintPodStatusStatus, error) {

diff --git a/pkg/util/flagSet.go b/pkg/util/flagSet.go
@@ -0,0 +1,31 @@
+package util
+
+import (
+	"flag"
+	"fmt"
+)
+
+type FlagSet map[string]bool
+
+var _ flag.Value = FlagSet{}
+
+func NewFlagSet() FlagSet {
+	return make(map[string]bool)
+}
+
+func (l FlagSet) ToSlice() []string {
+	contents := make([]string, 0)
+	for k := range l {
+		contents = append(contents, k)
+	}
+	return contents
+}
+
+func (l FlagSet) String() string {
+	return fmt.Sprintf("%s", l.ToSlice())
+}
+
+func (l FlagSet) Set(s string) error {
+	l[s] = true
+	return nil
+}
diff --git a/pkg/webhook/namespacelabel.go b/pkg/webhook/namespacelabel.go
@@ -11,6 +11,7 @@ import (
 	opa "github.com/open-policy-agent/frameworks/constraint/pkg/client"
 	"github.com/open-policy-agent/gatekeeper/pkg/controller/config/process"
 	"github.com/open-policy-agent/gatekeeper/pkg/mutation"
+	"github.com/open-policy-agent/gatekeeper/pkg/util"
 	"github.com/pkg/errors"
 	admissionv1 "k8s.io/api/admission/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -19,8 +20,8 @@ import (
 )
 
 var (
-	exemptNamespace       = newNSSet()
-	exemptNamespacePrefix = newNSSet()
+	exemptNamespace       = util.NewFlagSet()
+	exemptNamespacePrefix = util.NewFlagSet()
 )
 
 func init() {
@@ -31,27 +32,6 @@ func init() {
 
 const ignoreLabel = "admission.gatekeeper.sh/ignore"
 
-type nsSet map[string]bool
-
-var _ flag.Value = nsSet{}
-
-func newNSSet() nsSet {
-	return make(map[string]bool)
-}
-
-func (l nsSet) String() string {
-	contents := make([]string, 0)
-	for k := range l {
-		contents = append(contents, k)
-	}
-	return fmt.Sprintf("%s", contents)
-}
-
-func (l nsSet) Set(s string) error {
-	l[s] = true
-	return nil
-}
-
 // +kubebuilder:webhook:verbs=CREATE;UPDATE,path=/v1/admitlabel,mutating=false,failurePolicy=fail,groups="",resources=namespaces,versions=*,name=check-ignore-label.gatekeeper.sh
 
 // AddLabelWebhook registers the label webhook server with the manager

diff --git a/test/bats/test.bats b/test/bats/test.bats
@@ -220,3 +220,12 @@ __required_labels_audit_test() {
   kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml
   wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl create configmap should-succeed -n gatekeeper-excluded-namespace"
 }
+
+@test "disable http.send" {
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml"
+  wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sdenynamehttpsend"
+  run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_http_send.yaml
+  assert_failure
+  run kubectl get constrainttemplate/k8sdenynamehttpsend -o jsonpath="{.status}"
+  assert_match 'undefined function http.send' "${output}"
+}
diff --git a/test/bats/tests/bad/bad_http_send.yaml b/test/bats/tests/bad/bad_http_send.yaml
@@ -0,0 +1,7 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sDenyNameHttpSend
+metadata:
+  name: dummy-constraint
+spec:
+  parameters:
+    invalidName: "policy-violation"
diff --git a/test/bats/tests/templates/use_http_send_template.yaml b/test/bats/tests/templates/use_http_send_template.yaml
@@ -0,0 +1,25 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sdenynamehttpsend
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sDenyNameHttpSend
+      validation:
+        # Schema for the `parameters` field
+        openAPIV3Schema:
+          properties:
+            invalidName:
+              type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sdenynamehttpsend
+        violation[{"msg": msg}] {
+          input.review.object.metadata.name == input.parameters.invalidName
+          response := http.send({"method": "get", "url": "https://github.com/"})
+          msg := sprintf("The name is not allowed, msg= %v", [input.parameters.invalidName, response])
+
+        }