fix: do a audit run when we deploy #1901

grosser · 2022-03-08T02:17:00Z

when we deploy we have to wait 15 min to get a new audit, that is a long time to wait and means that our feedback loop for "you deployed something bad" does not kick in fast enough and causes 15min of pain to our end-users if a new constraint was bad (we deploy web+audit together)

so fix this by running the audit once on start

ticker does not have an option to do an initial runs as per golang/go#17601

/cc @ritazh @sozercan @ctab

Signed-off-by: Michael Grosser <michael@grosser.it>

codecov-commenter · 2022-03-08T02:23:48Z

Codecov Report

Merging #1901 (2d61598) into master (9501be5) will decrease coverage by 0.19%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #1901      +/-   ##
==========================================
- Coverage   52.28%   52.09%   -0.20%     
==========================================
  Files         100      100              
  Lines        8952     8958       +6     
==========================================
- Hits         4681     4667      -14     
- Misses       3898     3914      +16     
- Partials      373      377       +4

Flag	Coverage Δ
unittests	`52.09% <0.00%> (-0.20%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/audit/manager.go	`0.00% <0.00%> (ø)`
pkg/readiness/list.go	`79.41% <0.00%> (-11.77%)`	⬇️
pkg/watch/replay.go	`78.97% <0.00%> (-2.28%)`	⬇️
pkg/readiness/object_tracker.go	`82.91% <0.00%> (-1.07%)`	⬇️
pkg/readiness/ready_tracker.go	`69.83% <0.00%> (-0.51%)`	⬇️
...onstrainttemplate/constrainttemplate_controller.go	`57.93% <0.00%> (ø)`

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9501be5...2d61598. Read the comment docs.

maxsmythe

LGTM

ritazh · 2022-03-08T14:37:49Z

@grosser Thanks for the PR!
On a fresh install, not an upgrade or restart, if CTs and constraints are deployed immediately after GK controller manager and audit are deployed, there could be a racing condition between the initial audit run and the deployment of all your CTs and constraints. Should we document this?

sozercan

Thank you! LGTM

Signed-off-by: Michael Grosser <michael@grosser.it> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Signed-off-by: davis-haba <davishaba@google.com>

* Cache namespaces in targethandler Signed-off-by: davis-haba <davishaba@google.com> * chore: bump actions/checkout from 2 to 3 (#1888) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * fix uninstall version typo (#1890) Signed-off-by: Avinash Desireddy <avinashr.desireddy@gmail.com> Signed-off-by: davis-haba <davishaba@google.com> * chore: Remove unneeded spaces in helm chart (#1885) Signed-off-by: Manuel Rüger <manuel@rueg.eu> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * chore: bump @docusaurus/core from 2.0.0-beta.16 to 2.0.0-beta.17 in /website (#1892) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * chore: bump @docusaurus/preset-classic from 2.0.0-beta.16 to 2.0.0-beta.17 in /website (#1893) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * docs: add instructions on how to use tilt for development (#1895) Signed-off-by: davis-haba <davishaba@google.com> * test: Fix `BenchmarkValidationHandler` was broken (#1896) Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * Integration test for referential data in `gator test` (#1899) Signed-off-by: juliankatz <juliankatz@google.com> Signed-off-by: davis-haba <davishaba@google.com> * test: Fix `BenchmarkModifySetMutator_Mutate` was broken (#1897) Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Signed-off-by: davis-haba <davishaba@google.com> * gofmt target.go Signed-off-by: davis-haba <davishaba@google.com> * Add type assertion when pulling namespace from cache Signed-off-by: davis-haba <davishaba@google.com> * Do not use pointers for nsCache and RWLock when not necessary Signed-off-by: davis-haba <davishaba@google.com> * return error when unsuccesful reading from nscache Signed-off-by: davis-haba <davishaba@google.com> * Revert "return error when unsuccesful reading from nscache" This reverts commit 95bab77. Signed-off-by: davis-haba <davishaba@google.com> * Add tests for nsCache Signed-off-by: davis-haba <davishaba@google.com> * remove unused helpers in target_test.go Signed-off-by: davis-haba <davishaba@google.com> * remove commented code Signed-off-by: davis-haba <davishaba@google.com> * gofumpt target.go and target_test.go Signed-off-by: davis-haba <davishaba@google.com> * re-add accidently deleted test Signed-off-by: davis-haba <davishaba@google.com> * add helpers to original code location to clean up diff Signed-off-by: davis-haba <davishaba@google.com> * gofumpt target.go Signed-off-by: davis-haba <davishaba@google.com> * Add remove cache tests. Change nsCache.Get/Add API to take a namespace instead of interface. Properly wrap caching errors Signed-off-by: davis-haba <davishaba@google.com> * namespace cache tests verifies extranious elements do not exist Signed-off-by: davis-haba <davishaba@google.com> * increment with ++ instead of += Signed-off-by: davis-haba <davishaba@google.com> * Replace deprecated Ingress with new Ingress (#1906) Signed-off-by: Zhimin Xiang <zhiminx@google.com> Signed-off-by: davis-haba <davishaba@google.com> * do a audit run when we deploy (#1901) Signed-off-by: Michael Grosser <michael@grosser.it> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Signed-off-by: davis-haba <davishaba@google.com> * Do not add to cache within targethandler Signed-off-by: davis-haba <davishaba@google.com> * use gkReq.Namespace as key when writing to cache Signed-off-by: davis-haba <davishaba@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Avinash Desireddy <47186096+avinashdesireddy@users.noreply.github.com> Co-authored-by: Manuel Rüger <manuel@rueg.eu> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> Co-authored-by: Ernest Wong <chuwon@microsoft.com> Co-authored-by: Huang Huang <mozillazg101@gmail.com> Co-authored-by: Julian Katz <juliankatz@google.com> Co-authored-by: Zhimin Xiang <zhiminx@google.com> Co-authored-by: Michael Grosser <michael@grosser.it> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Co-authored-by: Will Beason <willbeason@google.com>

grosser · 2022-03-22T21:12:21Z

need to revert this or someone needs to debug what is going on with #1927

Reverting due to open-policy-agent#1927 This reverts commit a3d8a0d. Signed-off-by: Max Smythe <smythe@google.com>

Reverting due to #1927 This reverts commit a3d8a0d. Signed-off-by: Max Smythe <smythe@google.com>

grosser changed the title ~~do a audit run when we deploy~~ fix: do a audit run when we deploy Mar 8, 2022

grosser force-pushed the grosser/tick branch from 2065073 to 68fe286 Compare March 8, 2022 02:19

do a audit run when we deploy

5ef1033

Signed-off-by: Michael Grosser <michael@grosser.it>

grosser force-pushed the grosser/tick branch from 68fe286 to 5ef1033 Compare March 8, 2022 02:19

maxsmythe approved these changes Mar 8, 2022

View reviewed changes

maxsmythe requested review from shomron, ritazh and sozercan March 8, 2022 07:03

sozercan approved these changes Mar 8, 2022

View reviewed changes

sozercan and others added 2 commits March 8, 2022 17:23

Merge branch 'master' into grosser/tick

2d61598

Merge branch 'master' into grosser/tick

e5f85fb

ritazh merged commit a3d8a0d into open-policy-agent:master Mar 14, 2022

maxsmythe added a commit to maxsmythe/gatekeeper that referenced this pull request Mar 23, 2022

Revert "do a audit run when we deploy (open-policy-agent#1901)"

9ddb25a

Reverting due to open-policy-agent#1927 This reverts commit a3d8a0d. Signed-off-by: Max Smythe <smythe@google.com>

ritazh pushed a commit that referenced this pull request Mar 23, 2022

Revert "do a audit run when we deploy (#1901)" (#1932)

6c58cad

Reverting due to #1927 This reverts commit a3d8a0d. Signed-off-by: Max Smythe <smythe@google.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: do a audit run when we deploy #1901

fix: do a audit run when we deploy #1901

grosser commented Mar 8, 2022 •

edited

Loading

codecov-commenter commented Mar 8, 2022 •

edited

Loading

maxsmythe left a comment

ritazh commented Mar 8, 2022

sozercan left a comment

grosser commented Mar 22, 2022

fix: do a audit run when we deploy #1901

fix: do a audit run when we deploy #1901

Conversation

grosser commented Mar 8, 2022 • edited Loading

codecov-commenter commented Mar 8, 2022 • edited Loading

Codecov Report

maxsmythe left a comment

Choose a reason for hiding this comment

ritazh commented Mar 8, 2022

sozercan left a comment

Choose a reason for hiding this comment

grosser commented Mar 22, 2022

grosser commented Mar 8, 2022 •

edited

Loading

codecov-commenter commented Mar 8, 2022 •

edited

Loading