From afc9fe227baea2b7522728502d35079215dbe8e4 Mon Sep 17 00:00:00 2001 From: Brian Kennedy Date: Fri, 23 Apr 2021 21:02:01 -0700 Subject: [PATCH 1/7] Update Constraint Framework. (#1269) This includes https://github.com/open-policy-agent/frameworks/pull/110 which contains the fix for https://github.com/open-policy-agent/gatekeeper/issues/188 Signed-off-by: Brian Kennedy --- go.mod | 2 +- go.sum | 2 + .../constrainttemplate_controller_test.go | 12 +- .../frameworks/constraint/LICENSE | 202 ------------------ .../v1alpha1/constrainttemplate_types.go | 10 +- .../v1alpha1/zz_generated.conversion.go | 8 +- .../v1alpha1/zz_generated.deepcopy.go | 18 +- .../v1beta1/constrainttemplate_types.go | 10 +- .../v1beta1/zz_generated.conversion.go | 8 +- .../v1beta1/zz_generated.deepcopy.go | 18 +- .../pkg/client/drivers/local/local.go | 32 ++- .../templates/constrainttemplate_types.go | 10 +- .../core/templates/zz_generated.deepcopy.go | 18 +- vendor/modules.txt | 2 +- 14 files changed, 72 insertions(+), 280 deletions(-) delete mode 100644 vendor/github.com/open-policy-agent/frameworks/constraint/LICENSE diff --git a/go.mod b/go.mod index 2abab5c4837..76e64254500 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/onsi/ginkgo v1.14.1 github.com/onsi/gomega v1.10.2 github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c47 - github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c + github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f github.com/open-policy-agent/opa v0.24.0 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.7.1 diff --git a/go.sum b/go.sum index 0f1d26e69ee..605b1e9a232 100644 --- a/go.sum +++ b/go.sum @@ -480,6 +480,8 @@ github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c4 github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c47/go.mod h1:vZFB1b92JmUOIDEWHGO/lCnrKqrCQA5jCZkwPlF2nmc= github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c h1:ArW4LOS0LuB9u+oyiYHNoKXjZvW4pP8jh5ty/8szIz4= github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c/go.mod h1:vvhkBONv7Uah2fvS/bQ/N1u0rSLvxZOs2ErR6m+4QtQ= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f h1:oEq3M/aUJbcx9LVuL+UQXhOl3xDwhbNB7WFQtWZdh4o= +github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f/go.mod h1:vvhkBONv7Uah2fvS/bQ/N1u0rSLvxZOs2ErR6m+4QtQ= github.com/open-policy-agent/opa v0.24.0 h1:fnGOIux+TTGZsC0du1bRBtV8F+KPN55Hks12uE3Fq3E= github.com/open-policy-agent/opa v0.24.0/go.mod h1:qEyD/i8j+RQettHGp4f86yjrjvv+ZYia+JHCMv2G7wA= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= diff --git a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go index 63c5e73b981..06ed9181631 100644 --- a/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go +++ b/pkg/controller/constrainttemplate/constrainttemplate_controller_test.go @@ -323,8 +323,8 @@ violation[{"msg": "denied!"}] { return err } if ct.Name == "invalidrego" { - status := getCTByPodStatus(ct) - if status == nil { + status, found := getCTByPodStatus(ct) + if !found { return fmt.Errorf("could not retrieve CT status for pod, byPod status: %+v", ct.Status.ByPod) } if len(status.Errors) == 0 { @@ -537,16 +537,14 @@ func newDenyAllCstr() *unstructured.Unstructured { return cstr } -func getCTByPodStatus(templ *v1beta1.ConstraintTemplate) *v1beta1.ByPodStatus { +func getCTByPodStatus(templ *v1beta1.ConstraintTemplate) (v1beta1.ByPodStatus, bool) { statuses := templ.Status.ByPod - var status *v1beta1.ByPodStatus for _, s := range statuses { if s.ID == util.GetID() { - status = s - break + return s, true } } - return status + return v1beta1.ByPodStatus{}, false } func getCByPodStatus(obj *unstructured.Unstructured) (*statusv1beta1.ConstraintPodStatusStatus, error) { diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/LICENSE b/vendor/github.com/open-policy-agent/frameworks/constraint/LICENSE deleted file mode 100644 index 8f71f43fee3..00000000000 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go index b8dafb883ad..4b2fdb65242 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/constrainttemplate_types.go @@ -64,15 +64,15 @@ type CreateCRDError struct { // an individual controller type ByPodStatus struct { // a unique identifier for the pod that wrote the status - ID string `json:"id,omitempty"` - ObservedGeneration int64 `json:"observedGeneration,omitempty"` - Errors []*CreateCRDError `json:"errors,omitempty"` + ID string `json:"id,omitempty"` + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + Errors []CreateCRDError `json:"errors,omitempty"` } // ConstraintTemplateStatus defines the observed state of ConstraintTemplate type ConstraintTemplateStatus struct { - Created bool `json:"created,omitempty"` - ByPod []*ByPodStatus `json:"byPod,omitempty"` + Created bool `json:"created,omitempty"` + ByPod []ByPodStatus `json:"byPod,omitempty"` // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster // Important: Run "make" to regenerate code after modifying this file } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go index 75efd347806..2de7f042938 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.conversion.go @@ -151,7 +151,7 @@ func RegisterConversions(s *runtime.Scheme) error { func autoConvert_v1alpha1_ByPodStatus_To_templates_ByPodStatus(in *ByPodStatus, out *templates.ByPodStatus, s conversion.Scope) error { out.ID = in.ID out.ObservedGeneration = in.ObservedGeneration - out.Errors = *(*[]*templates.CreateCRDError)(unsafe.Pointer(&in.Errors)) + out.Errors = *(*[]templates.CreateCRDError)(unsafe.Pointer(&in.Errors)) return nil } @@ -163,7 +163,7 @@ func Convert_v1alpha1_ByPodStatus_To_templates_ByPodStatus(in *ByPodStatus, out func autoConvert_templates_ByPodStatus_To_v1alpha1_ByPodStatus(in *templates.ByPodStatus, out *ByPodStatus, s conversion.Scope) error { out.ID = in.ID out.ObservedGeneration = in.ObservedGeneration - out.Errors = *(*[]*CreateCRDError)(unsafe.Pointer(&in.Errors)) + out.Errors = *(*[]CreateCRDError)(unsafe.Pointer(&in.Errors)) return nil } @@ -340,7 +340,7 @@ func Convert_templates_ConstraintTemplateSpec_To_v1alpha1_ConstraintTemplateSpec func autoConvert_v1alpha1_ConstraintTemplateStatus_To_templates_ConstraintTemplateStatus(in *ConstraintTemplateStatus, out *templates.ConstraintTemplateStatus, s conversion.Scope) error { out.Created = in.Created - out.ByPod = *(*[]*templates.ByPodStatus)(unsafe.Pointer(&in.ByPod)) + out.ByPod = *(*[]templates.ByPodStatus)(unsafe.Pointer(&in.ByPod)) return nil } @@ -351,7 +351,7 @@ func Convert_v1alpha1_ConstraintTemplateStatus_To_templates_ConstraintTemplateSt func autoConvert_templates_ConstraintTemplateStatus_To_v1alpha1_ConstraintTemplateStatus(in *templates.ConstraintTemplateStatus, out *ConstraintTemplateStatus, s conversion.Scope) error { out.Created = in.Created - out.ByPod = *(*[]*ByPodStatus)(unsafe.Pointer(&in.ByPod)) + out.ByPod = *(*[]ByPodStatus)(unsafe.Pointer(&in.ByPod)) return nil } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go index c813a552812..da242a7fa46 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1/zz_generated.deepcopy.go @@ -27,14 +27,8 @@ func (in *ByPodStatus) DeepCopyInto(out *ByPodStatus) { *out = *in if in.Errors != nil { in, out := &in.Errors, &out.Errors - *out = make([]*CreateCRDError, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(CreateCRDError) - **out = **in - } - } + *out = make([]CreateCRDError, len(*in)) + copy(*out, *in) } return } @@ -178,13 +172,9 @@ func (in *ConstraintTemplateStatus) DeepCopyInto(out *ConstraintTemplateStatus) *out = *in if in.ByPod != nil { in, out := &in.ByPod, &out.ByPod - *out = make([]*ByPodStatus, len(*in)) + *out = make([]ByPodStatus, len(*in)) for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(ByPodStatus) - (*in).DeepCopyInto(*out) - } + (*in)[i].DeepCopyInto(&(*out)[i]) } } return diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go index 4a40d105ef8..cf6e3cf5235 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/constrainttemplate_types.go @@ -64,15 +64,15 @@ type CreateCRDError struct { // an individual controller type ByPodStatus struct { // a unique identifier for the pod that wrote the status - ID string `json:"id,omitempty"` - ObservedGeneration int64 `json:"observedGeneration,omitempty"` - Errors []*CreateCRDError `json:"errors,omitempty"` + ID string `json:"id,omitempty"` + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + Errors []CreateCRDError `json:"errors,omitempty"` } // ConstraintTemplateStatus defines the observed state of ConstraintTemplate type ConstraintTemplateStatus struct { - Created bool `json:"created,omitempty"` - ByPod []*ByPodStatus `json:"byPod,omitempty"` + Created bool `json:"created,omitempty"` + ByPod []ByPodStatus `json:"byPod,omitempty"` // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster // Important: Run "make" to regenerate code after modifying this file } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go index 5e000be2558..c4b864f6a62 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.conversion.go @@ -151,7 +151,7 @@ func RegisterConversions(s *runtime.Scheme) error { func autoConvert_v1beta1_ByPodStatus_To_templates_ByPodStatus(in *ByPodStatus, out *templates.ByPodStatus, s conversion.Scope) error { out.ID = in.ID out.ObservedGeneration = in.ObservedGeneration - out.Errors = *(*[]*templates.CreateCRDError)(unsafe.Pointer(&in.Errors)) + out.Errors = *(*[]templates.CreateCRDError)(unsafe.Pointer(&in.Errors)) return nil } @@ -163,7 +163,7 @@ func Convert_v1beta1_ByPodStatus_To_templates_ByPodStatus(in *ByPodStatus, out * func autoConvert_templates_ByPodStatus_To_v1beta1_ByPodStatus(in *templates.ByPodStatus, out *ByPodStatus, s conversion.Scope) error { out.ID = in.ID out.ObservedGeneration = in.ObservedGeneration - out.Errors = *(*[]*CreateCRDError)(unsafe.Pointer(&in.Errors)) + out.Errors = *(*[]CreateCRDError)(unsafe.Pointer(&in.Errors)) return nil } @@ -340,7 +340,7 @@ func Convert_templates_ConstraintTemplateSpec_To_v1beta1_ConstraintTemplateSpec( func autoConvert_v1beta1_ConstraintTemplateStatus_To_templates_ConstraintTemplateStatus(in *ConstraintTemplateStatus, out *templates.ConstraintTemplateStatus, s conversion.Scope) error { out.Created = in.Created - out.ByPod = *(*[]*templates.ByPodStatus)(unsafe.Pointer(&in.ByPod)) + out.ByPod = *(*[]templates.ByPodStatus)(unsafe.Pointer(&in.ByPod)) return nil } @@ -351,7 +351,7 @@ func Convert_v1beta1_ConstraintTemplateStatus_To_templates_ConstraintTemplateSta func autoConvert_templates_ConstraintTemplateStatus_To_v1beta1_ConstraintTemplateStatus(in *templates.ConstraintTemplateStatus, out *ConstraintTemplateStatus, s conversion.Scope) error { out.Created = in.Created - out.ByPod = *(*[]*ByPodStatus)(unsafe.Pointer(&in.ByPod)) + out.ByPod = *(*[]ByPodStatus)(unsafe.Pointer(&in.ByPod)) return nil } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go index 6c2298053d7..6d48a1ae1ed 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1beta1/zz_generated.deepcopy.go @@ -27,14 +27,8 @@ func (in *ByPodStatus) DeepCopyInto(out *ByPodStatus) { *out = *in if in.Errors != nil { in, out := &in.Errors, &out.Errors - *out = make([]*CreateCRDError, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(CreateCRDError) - **out = **in - } - } + *out = make([]CreateCRDError, len(*in)) + copy(*out, *in) } return } @@ -178,13 +172,9 @@ func (in *ConstraintTemplateStatus) DeepCopyInto(out *ConstraintTemplateStatus) *out = *in if in.ByPod != nil { in, out := &in.ByPod, &out.ByPod - *out = make([]*ByPodStatus, len(*in)) + *out = make([]ByPodStatus, len(*in)) for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(ByPodStatus) - (*in).DeepCopyInto(*out) - } + (*in)[i].DeepCopyInto(&(*out)[i]) } } return diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go index 518ddf6ecaf..50048bc9c91 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/local/local.go @@ -45,15 +45,37 @@ func Tracing(enabled bool) Arg { } } +func DisableBuiltins(builtins ...string) Arg { + return func(d *driver) { + if d.capabilities == nil { + d.capabilities = ast.CapabilitiesForThisVersion() + } + disableBuiltins := make(map[string]bool) + for _, b := range builtins { + disableBuiltins[b] = true + } + var nb []*ast.Builtin + builtins := d.capabilities.Builtins + for i, b := range builtins { + if !disableBuiltins[b.Name] { + nb = append(nb, builtins[i]) + } + } + d.capabilities.Builtins = nb + } +} + func New(args ...Arg) drivers.Driver { d := &driver{ - compiler: ast.NewCompiler(), - modules: make(map[string]*ast.Module), - storage: inmem.New(), + compiler: ast.NewCompiler(), + modules: make(map[string]*ast.Module), + storage: inmem.New(), + capabilities: ast.CapabilitiesForThisVersion(), } for _, arg := range args { arg(d) } + d.compiler.WithCapabilities(d.capabilities) return d } @@ -64,6 +86,7 @@ type driver struct { compiler *ast.Compiler modules map[string]*ast.Module storage storage.Store + capabilities *ast.Capabilities traceEnabled bool } @@ -186,7 +209,8 @@ func (d *driver) alterModules(ctx context.Context, insert insertParam, remove [] } } - c := ast.NewCompiler().WithPathConflictsCheck(storage.NonEmpty(ctx, d.storage, txn)) + c := ast.NewCompiler().WithPathConflictsCheck(storage.NonEmpty(ctx, d.storage, txn)). + WithCapabilities(d.capabilities) if c.Compile(updatedModules); c.Failed() { d.storage.Abort(ctx, txn) return 0, c.Errors diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go index a36ac4b31fb..adcc6ae7bfd 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/constrainttemplate_types.go @@ -69,15 +69,15 @@ type CreateCRDError struct { // an individual controller type ByPodStatus struct { // a unique identifier for the pod that wrote the status - ID string `json:"id,omitempty"` - ObservedGeneration int64 `json:"observedGeneration,omitempty"` - Errors []*CreateCRDError `json:"errors,omitempty"` + ID string `json:"id,omitempty"` + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + Errors []CreateCRDError `json:"errors,omitempty"` } // ConstraintTemplateStatus defines the observed state of ConstraintTemplate type ConstraintTemplateStatus struct { - Created bool `json:"created,omitempty"` - ByPod []*ByPodStatus `json:"byPod,omitempty"` + Created bool `json:"created,omitempty"` + ByPod []ByPodStatus `json:"byPod,omitempty"` // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster // Important: Run "make" to regenerate code after modifying this file } diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go index fc42c41832b..f33fbc9fad8 100644 --- a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go +++ b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/core/templates/zz_generated.deepcopy.go @@ -27,14 +27,8 @@ func (in *ByPodStatus) DeepCopyInto(out *ByPodStatus) { *out = *in if in.Errors != nil { in, out := &in.Errors, &out.Errors - *out = make([]*CreateCRDError, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(CreateCRDError) - **out = **in - } - } + *out = make([]CreateCRDError, len(*in)) + copy(*out, *in) } return } @@ -178,13 +172,9 @@ func (in *ConstraintTemplateStatus) DeepCopyInto(out *ConstraintTemplateStatus) *out = *in if in.ByPod != nil { in, out := &in.ByPod, &out.ByPod - *out = make([]*ByPodStatus, len(*in)) + *out = make([]ByPodStatus, len(*in)) for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(ByPodStatus) - (*in).DeepCopyInto(*out) - } + (*in)[i].DeepCopyInto(&(*out)[i]) } } return diff --git a/vendor/modules.txt b/vendor/modules.txt index 2597cf787b8..a94259a11a0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -162,7 +162,7 @@ github.com/onsi/gomega/types # github.com/open-policy-agent/cert-controller v0.1.1-0.20210129015139-6ff9721a1c47 ## explicit github.com/open-policy-agent/cert-controller/pkg/rotator -# github.com/open-policy-agent/frameworks/constraint v0.0.0-20210121003109-e55b2bb4cf1c +# github.com/open-policy-agent/frameworks/constraint v0.0.0-20210422220901-804ff2ee8b4f ## explicit github.com/open-policy-agent/frameworks/constraint/deploy github.com/open-policy-agent/frameworks/constraint/pkg/apis/templates/v1alpha1 From d8838177f71eaaadf3e1b26ec970365af2aea36c Mon Sep 17 00:00:00 2001 From: Becky HD Date: Tue, 27 Apr 2021 22:51:17 -0700 Subject: [PATCH 2/7] Provide the flag for disable unsafe builtins (#1191) --- Makefile | 7 +++-- cmd/build/helmify/kustomize-for-helm.yaml | 1 + cmd/build/helmify/replacements.go | 4 +++ cmd/build/helmify/static/values.yaml | 1 + main.go | 4 ++- ...ekeeper-controller-manager-deployment.yaml | 4 +++ .../charts/gatekeeper/values.yaml | 1 + pkg/util/flagSet.go | 31 +++++++++++++++++++ pkg/webhook/namespacelabel.go | 26 ++-------------- test/bats/test.bats | 9 ++++++ test/bats/tests/bad/bad_http_send.yaml | 7 +++++ .../templates/use_http_send_template.yaml | 25 +++++++++++++++ 12 files changed, 94 insertions(+), 26 deletions(-) create mode 100644 pkg/util/flagSet.go create mode 100644 test/bats/tests/bad/bad_http_send.yaml create mode 100644 test/bats/tests/templates/use_http_send_template.yaml diff --git a/Makefile b/Makefile index 4f106900f0d..6e2ce6141be 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --emit-admission-events\ \n - --exempt-namespace=${GATEKEEPER_NAMESPACE}\ \n - --operation=webhook\ +\n - --disable-opa-builtin=http.send\ \n---\ \napiVersion: apps/v1\ \nkind: Deployment\ @@ -128,7 +129,8 @@ e2e-helm-deploy: e2e-helm-install --set image.release=${HELM_RELEASE} \ --set emitAdmissionEvents=true \ --set emitAuditEvents=true \ - --set postInstall.labelNamespace.enabled=true;\ + --set postInstall.labelNamespace.enabled=true \ + --set disabledBuiltins={http.send};\ e2e-helm-upgrade-init: e2e-helm-install ./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts;\ @@ -143,7 +145,8 @@ e2e-helm-upgrade: --set image.repository=${HELM_REPO} \ --set image.release=${HELM_RELEASE} \ --set emitAdmissionEvents=true \ - --set emitAuditEvents=true;\ + --set emitAuditEvents=true \ + --set disabledBuiltins={http.send};\ # Build manager binary manager: generate diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index c728609acde..306e4c5b045 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -69,6 +69,7 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} + - HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN imagePullPolicy: "{{ .Values.image.pullPolicy }}" image: "{{ .Values.image.repository }}:{{ .Values.image.release }}" resources: diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index 040861954ee..ff6a07726a4 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -48,4 +48,8 @@ var replacements = map[string]string{ loadBalancerIP: {{ .Values.service.loadBalancerIP }} {{- end }} {{- end }}`, + "- HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_DISABLED_BUILTIN": ` + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }}`, } diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 89b3bb01306..27528413cbb 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -70,3 +70,4 @@ pdb: controllerManager: minAvailable: 1 service: {} +disabledBuiltins: diff --git a/main.go b/main.go index d971c51c2ad..a4d8538c310 100644 --- a/main.go +++ b/main.go @@ -99,6 +99,7 @@ var ( disableCertRotation = flag.Bool("disable-cert-rotation", false, "disable automatic generation and rotation of webhook TLS certificates/keys") enableProfile = flag.Bool("enable-pprof", false, "enable pprof profiling") profilePort = flag.Int("pprof-port", 6060, "port for pprof profiling. defaulted to 6060 if unspecified") + disabledBuiltins = util.NewFlagSet() ) func init() { @@ -110,6 +111,7 @@ func init() { _ = statusv1beta1.AddToScheme(scheme) _ = mutationsv1alpha1.AddToScheme(scheme) // +kubebuilder:scaffold:scheme + flag.Var(disabledBuiltins, "disable-opa-builtin", "disable opa built-in function, this flag can be declared more than once.") } func main() { @@ -236,7 +238,7 @@ func setupControllers(mgr ctrl.Manager, sw *watch.ControllerSwitch, tracker *rea <-setupFinished // initialize OPA - driver := local.New(local.Tracing(false)) + driver := local.New(local.Tracing(false), local.DisableBuiltins(disabledBuiltins.ToSlice()...)) backend, err := opa.NewBackend(opa.Driver(driver)) if err != nil { setupLog.Error(err, "unable to set up OPA backend") diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 8a7c7970588..0b85645cc5c 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -49,6 +49,10 @@ spec: - --exempt-namespace={{ .Release.Namespace }} - --operation=webhook - --enable-mutation={{ .Values.experimentalEnableMutation}} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} command: - /manager env: diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 89b3bb01306..27528413cbb 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -70,3 +70,4 @@ pdb: controllerManager: minAvailable: 1 service: {} +disabledBuiltins: diff --git a/pkg/util/flagSet.go b/pkg/util/flagSet.go new file mode 100644 index 00000000000..c9781c84111 --- /dev/null +++ b/pkg/util/flagSet.go @@ -0,0 +1,31 @@ +package util + +import ( + "flag" + "fmt" +) + +type FlagSet map[string]bool + +var _ flag.Value = FlagSet{} + +func NewFlagSet() FlagSet { + return make(map[string]bool) +} + +func (l FlagSet) ToSlice() []string { + contents := make([]string, 0) + for k := range l { + contents = append(contents, k) + } + return contents +} + +func (l FlagSet) String() string { + return fmt.Sprintf("%s", l.ToSlice()) +} + +func (l FlagSet) Set(s string) error { + l[s] = true + return nil +} diff --git a/pkg/webhook/namespacelabel.go b/pkg/webhook/namespacelabel.go index 99a974b5aaf..a8c08703167 100644 --- a/pkg/webhook/namespacelabel.go +++ b/pkg/webhook/namespacelabel.go @@ -11,6 +11,7 @@ import ( opa "github.com/open-policy-agent/frameworks/constraint/pkg/client" "github.com/open-policy-agent/gatekeeper/pkg/controller/config/process" "github.com/open-policy-agent/gatekeeper/pkg/mutation" + "github.com/open-policy-agent/gatekeeper/pkg/util" "github.com/pkg/errors" admissionv1 "k8s.io/api/admission/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -19,8 +20,8 @@ import ( ) var ( - exemptNamespace = newNSSet() - exemptNamespacePrefix = newNSSet() + exemptNamespace = util.NewFlagSet() + exemptNamespacePrefix = util.NewFlagSet() ) func init() { @@ -31,27 +32,6 @@ func init() { const ignoreLabel = "admission.gatekeeper.sh/ignore" -type nsSet map[string]bool - -var _ flag.Value = nsSet{} - -func newNSSet() nsSet { - return make(map[string]bool) -} - -func (l nsSet) String() string { - contents := make([]string, 0) - for k := range l { - contents = append(contents, k) - } - return fmt.Sprintf("%s", contents) -} - -func (l nsSet) Set(s string) error { - l[s] = true - return nil -} - // +kubebuilder:webhook:verbs=CREATE;UPDATE,path=/v1/admitlabel,mutating=false,failurePolicy=fail,groups="",resources=namespaces,versions=*,name=check-ignore-label.gatekeeper.sh // AddLabelWebhook registers the label webhook server with the manager diff --git a/test/bats/test.bats b/test/bats/test.bats index 117e0ca9271..d11f8708399 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -220,3 +220,12 @@ __required_labels_audit_test() { kubectl apply -n ${GATEKEEPER_NAMESPACE} -f ${BATS_TESTS_DIR}/sync_with_exclusion.yaml wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl create configmap should-succeed -n gatekeeper-excluded-namespace" } + +@test "disable http.send" { + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl apply -f ${BATS_TESTS_DIR}/templates/use_http_send_template.yaml" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sdenynamehttpsend" + run kubectl apply -f ${BATS_TESTS_DIR}/bad/bad_http_send.yaml + assert_failure + run kubectl get constrainttemplate/k8sdenynamehttpsend -o jsonpath="{.status}" + assert_match 'undefined function http.send' "${output}" +} diff --git a/test/bats/tests/bad/bad_http_send.yaml b/test/bats/tests/bad/bad_http_send.yaml new file mode 100644 index 00000000000..e1cf10319d6 --- /dev/null +++ b/test/bats/tests/bad/bad_http_send.yaml @@ -0,0 +1,7 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sDenyNameHttpSend +metadata: + name: dummy-constraint +spec: + parameters: + invalidName: "policy-violation" diff --git a/test/bats/tests/templates/use_http_send_template.yaml b/test/bats/tests/templates/use_http_send_template.yaml new file mode 100644 index 00000000000..5d5e5bdfdf6 --- /dev/null +++ b/test/bats/tests/templates/use_http_send_template.yaml @@ -0,0 +1,25 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sdenynamehttpsend +spec: + crd: + spec: + names: + kind: K8sDenyNameHttpSend + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + invalidName: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sdenynamehttpsend + violation[{"msg": msg}] { + input.review.object.metadata.name == input.parameters.invalidName + response := http.send({"method": "get", "url": "https://github.com/"}) + msg := sprintf("The name is not allowed, msg= %v", [input.parameters.invalidName, response]) + + } From a974d70df29a10298cd05a74b412297de5402823 Mon Sep 17 00:00:00 2001 From: Chris Stanaway Date: Wed, 28 Apr 2021 02:33:39 -0500 Subject: [PATCH 3/7] Add priority class name (#1266) * Add support for priorityClassName (#1252) Signed-off-by: Chris Stanaway * Add support for priorityClassName (#1252) Signed-off-by: Chris Stanaway * Removed changes to `charts` directory per instructions. Updated helm chart README to reference `kustomize-for-helm.yaml`. Signed-off-by: Chris Stanaway * Added priorityClassName to the default deployment Signed-off-by: Chris Stanaway * Moved README update Signed-off-by: Chris Stanaway * Add newline at end of file Signed-off-by: Chris Stanaway * Moved README update Signed-off-by: Chris Stanaway Co-authored-by: Rita Zhang --- cmd/build/helmify/kustomize-for-helm.yaml | 2 ++ cmd/build/helmify/replacements.go | 4 ++++ cmd/build/helmify/static/README.md | 8 ++++---- config/manager/manager.yaml | 2 ++ manifest_staging/charts/gatekeeper/README.md | 8 ++++---- .../gatekeeper/templates/gatekeeper-audit-deployment.yaml | 1 + .../gatekeeper-controller-manager-deployment.yaml | 1 + manifest_staging/deploy/gatekeeper.yaml | 2 ++ 8 files changed, 20 insertions(+), 8 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 306e4c5b045..d423f742b95 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -83,6 +83,7 @@ spec: imagePullSecrets: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: "" hostNetwork: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_HOST_NETWORK + priorityClassName: HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME --- apiVersion: apps/v1 kind: Deployment @@ -121,6 +122,7 @@ spec: imagePullSecrets: HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: "" hostNetwork: HELMSUBST_DEPLOYMENT_AUDIT_HOST_NETWORK + priorityClassName: HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME --- apiVersion: v1 kind: Secret diff --git a/cmd/build/helmify/replacements.go b/cmd/build/helmify/replacements.go index ff6a07726a4..86c07ec115c 100644 --- a/cmd/build/helmify/replacements.go +++ b/cmd/build/helmify/replacements.go @@ -17,6 +17,8 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_AUDIT_IMAGE_PULL_SECRETS: ""`: `{{- toYaml .Values.image.pullSecrets | nindent 8 }}`, + "HELMSUBST_DEPLOYMENT_AUDIT_PRIORITY_CLASS_NAME": `{{ .Values.audit.priorityClassName }}`, + `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_NODE_SELECTOR: ""`: `{{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }}`, `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_AFFINITY: ""`: `{{- toYaml .Values.controllerManager.affinity | nindent 8 }}`, @@ -25,6 +27,8 @@ var replacements = map[string]string{ `HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_IMAGE_PULL_SECRETS: ""`: `{{- toYaml .Values.image.pullSecrets | nindent 8 }}`, + "HELMSUBST_DEPLOYMENT_CONTROLLER_MANAGER_PRIORITY_CLASS_NAME": `{{ .Values.controllerManager.priorityClassName }}`, + "HELMSUBST_DEPLOYMENT_REPLICAS": `{{ .Values.replicas }}`, `HELMSUBST_ANNOTATIONS: ""`: `{{- toYaml .Values.podAnnotations | trim | nindent 8 }}`, diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 81d68ad878e..c9d1a7cf982 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -106,7 +106,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi This Helm chart is autogenerated from the Gatekeeper static manifest. The generator code lives under `cmd/build/helmify`. To make modifications to this -template, please edit `kustomization.yaml` and `replacements.go` under that -directory and then run `make manifests`. Your changes will show up in the -`manifest_staging` directory and will be promoted to the root `charts` directory -the next time a Gatekeeper release is cut. +template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and +`replacements.go` under that directory and then run `make manifests`. Your +changes will show up in the `manifest_staging` directory and will be promoted +to the root `charts` directory the next time a Gatekeeper release is cut. diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 1810faacb47..9badeaba9a9 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -97,6 +97,7 @@ spec: terminationGracePeriodSeconds: 60 nodeSelector: kubernetes.io/os: linux + priorityClassName: system-cluster-critical --- apiVersion: apps/v1 kind: Deployment @@ -176,3 +177,4 @@ spec: terminationGracePeriodSeconds: 60 nodeSelector: kubernetes.io/os: linux + priorityClassName: system-cluster-critical diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 81d68ad878e..c9d1a7cf982 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -106,7 +106,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi This Helm chart is autogenerated from the Gatekeeper static manifest. The generator code lives under `cmd/build/helmify`. To make modifications to this -template, please edit `kustomization.yaml` and `replacements.go` under that -directory and then run `make manifests`. Your changes will show up in the -`manifest_staging` directory and will be promoted to the root `charts` directory -the next time a Gatekeeper release is cut. +template, please edit `kustomization.yaml`, `kustomize-for-helm.yaml` and +`replacements.go` under that directory and then run `make manifests`. Your +changes will show up in the `manifest_staging` directory and will be promoted +to the root `charts` directory the next time a Gatekeeper release is cut. diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index b48d9b4a9be..8f259f6ae4d 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -97,6 +97,7 @@ spec: {{- toYaml .Values.image.pullSecrets | nindent 8 }} nodeSelector: {{- toYaml .Values.audit.nodeSelector | nindent 8 }} + priorityClassName: {{ .Values.audit.priorityClassName }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 tolerations: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 0b85645cc5c..40524708bd1 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -106,6 +106,7 @@ spec: {{- toYaml .Values.image.pullSecrets | nindent 8 }} nodeSelector: {{- toYaml .Values.controllerManager.nodeSelector | nindent 8 }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 tolerations: diff --git a/manifest_staging/deploy/gatekeeper.yaml b/manifest_staging/deploy/gatekeeper.yaml index 583dcc9248f..fdce8a27718 100644 --- a/manifest_staging/deploy/gatekeeper.yaml +++ b/manifest_staging/deploy/gatekeeper.yaml @@ -711,6 +711,7 @@ spec: runAsUser: 1000 nodeSelector: kubernetes.io/os: linux + priorityClassName: system-cluster-critical serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 --- @@ -813,6 +814,7 @@ spec: readOnly: true nodeSelector: kubernetes.io/os: linux + priorityClassName: system-cluster-critical serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 volumes: From 64edbe3db4c0f83cb6ade0bf6dbaf807752da36b Mon Sep 17 00:00:00 2001 From: Julian Katz Date: Wed, 28 Apr 2021 09:35:35 -0700 Subject: [PATCH 4/7] Add v1 CRD deprecation doc --- docs/design/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/design/README.md b/docs/design/README.md index 59572b7281b..77ec0f754d7 100644 --- a/docs/design/README.md +++ b/docs/design/README.md @@ -16,6 +16,8 @@ Generally, design docs are on Google docs: * [Mutation Revised Design Doc (June 2019)](https://docs.google.com/document/d/1G7WgZKx1Y3VOTUjrqn7DjDaZgSKCIZowILm_I6psrw0/edit#heading=h.mtvdjag5uj9) * [Mutation Initial Design Doc (April 2019)](https://docs.google.com/document/d/1qTHwqoUX8AL2jodyWKB_2szrGDwhi14Ra_LlQ-ogtck/edit#heading=h.iu1ppjy7g7j) * [External Data](https://docs.google.com/document/d/1hPi86jdsCKg8puYT5_s_73mPGExUJeZfyKmvG-XWtPc/edit#) +* [Gatekeeper v1beta1 CRD Deprecation](https://docs.google.com/document/d/12TD9vk79X3y0RgNxURamW4tQOyd6YjA6WrwDAqcplwg/edit#) + ## Implemented * [V3 Accepted Design](https://docs.google.com/document/d/1yC4wgpVoJj6ngYnSTtO-HeaIBl05gla562sD7qKPy3M/edit#heading=h.z0bjqzl81dpe) From e493e192f8fe71707536b4c179cfca9109ca2592 Mon Sep 17 00:00:00 2001 From: Max Smythe Date: Wed, 28 Apr 2021 13:26:28 -0700 Subject: [PATCH 5/7] Revert "Add v1 CRD deprecation doc" (#1276) This reverts commit 64edbe3db4c0f83cb6ade0bf6dbaf807752da36b. Signed-off-by: Max Smythe --- docs/design/README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/design/README.md b/docs/design/README.md index 77ec0f754d7..59572b7281b 100644 --- a/docs/design/README.md +++ b/docs/design/README.md @@ -16,8 +16,6 @@ Generally, design docs are on Google docs: * [Mutation Revised Design Doc (June 2019)](https://docs.google.com/document/d/1G7WgZKx1Y3VOTUjrqn7DjDaZgSKCIZowILm_I6psrw0/edit#heading=h.mtvdjag5uj9) * [Mutation Initial Design Doc (April 2019)](https://docs.google.com/document/d/1qTHwqoUX8AL2jodyWKB_2szrGDwhi14Ra_LlQ-ogtck/edit#heading=h.iu1ppjy7g7j) * [External Data](https://docs.google.com/document/d/1hPi86jdsCKg8puYT5_s_73mPGExUJeZfyKmvG-XWtPc/edit#) -* [Gatekeeper v1beta1 CRD Deprecation](https://docs.google.com/document/d/12TD9vk79X3y0RgNxURamW4tQOyd6YjA6WrwDAqcplwg/edit#) - ## Implemented * [V3 Accepted Design](https://docs.google.com/document/d/1yC4wgpVoJj6ngYnSTtO-HeaIBl05gla562sD7qKPy3M/edit#heading=h.z0bjqzl81dpe) From 3e70bea677b0ff987b5bf0bfe49ef0d507b3f0b5 Mon Sep 17 00:00:00 2001 From: Julian Katz Date: Wed, 28 Apr 2021 15:29:49 -0700 Subject: [PATCH 6/7] Add v1beta1 CRD deprecation doc (#1277) Signed-off-by: juliankatz --- docs/design/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/design/README.md b/docs/design/README.md index 59572b7281b..4d2fc94baae 100644 --- a/docs/design/README.md +++ b/docs/design/README.md @@ -16,6 +16,7 @@ Generally, design docs are on Google docs: * [Mutation Revised Design Doc (June 2019)](https://docs.google.com/document/d/1G7WgZKx1Y3VOTUjrqn7DjDaZgSKCIZowILm_I6psrw0/edit#heading=h.mtvdjag5uj9) * [Mutation Initial Design Doc (April 2019)](https://docs.google.com/document/d/1qTHwqoUX8AL2jodyWKB_2szrGDwhi14Ra_LlQ-ogtck/edit#heading=h.iu1ppjy7g7j) * [External Data](https://docs.google.com/document/d/1hPi86jdsCKg8puYT5_s_73mPGExUJeZfyKmvG-XWtPc/edit#) +* [Gatekeeper v1beta1 CRD Deprecation](https://docs.google.com/document/d/12TD9vk79X3y0RgNxURamW4tQOyd6YjA6WrwDAqcplwg/edit#) ## Implemented * [V3 Accepted Design](https://docs.google.com/document/d/1yC4wgpVoJj6ngYnSTtO-HeaIBl05gla562sD7qKPy3M/edit#heading=h.z0bjqzl81dpe) From fc67ca8a471285d30e813b85936afeaece1ebec1 Mon Sep 17 00:00:00 2001 From: Ji'an Liu Date: Thu, 29 Apr 2021 09:07:22 +0800 Subject: [PATCH 7/7] fix: specify the os for gatekeeper-update-namespace-label (#1262) Signed-off-by: Ji An Liu Co-authored-by: Max Smythe --- cmd/build/helmify/static/templates/namespace-post-install.yaml | 2 ++ .../charts/gatekeeper/templates/namespace-post-install.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml index da57d381b41..9c711bba74d 100644 --- a/cmd/build/helmify/static/templates/namespace-post-install.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml @@ -26,6 +26,8 @@ spec: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label + nodeSelector: + kubernetes.io/os: linux containers: - name: kubectl-label image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml index da57d381b41..9c711bba74d 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml @@ -26,6 +26,8 @@ spec: {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} {{- end }} serviceAccount: gatekeeper-update-namespace-label + nodeSelector: + kubernetes.io/os: linux containers: - name: kubectl-label image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}"