Update Operator to support Gatekeeper v3.5.1

.github/workflows/ci_tests.yaml

@@ -15,14 +15,9 @@ jobs:
     name: Run verify and unit tests
     runs-on: ubuntu-20.04
 
-    defaults:
-      run:
-        working-directory: gatekeeper-operator
-
     steps:
     - uses: actions/checkout@v2
       with:
-        path: gatekeeper-operator
         fetch-depth: 0 # Fetch all history for all tags and branches
 
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
@@ -55,35 +50,9 @@ jobs:
         make manifests
         git diff --exit-code
 
-    - name: Set Up Environment Variables
-      run: |
-        GATEKEEPER_VERSION=$(awk '/^GATEKEEPER_VERSION/ {print $3}' Makefile)
-        echo "GATEKEEPER_VERSION=${GATEKEEPER_VERSION}" >> ${GITHUB_ENV}
-
-    # This step is necessary to use a local clone of the Gatekeeper repo.
-    # Otherwise kustomize bulid fails using the go-getter URL format as result
-    # of https://github.com/open-policy-agent/gatekeeper/issues/1112. Also see
-    # https://github.com/kubernetes-sigs/kustomize/issues/3515 for a feature
-    # request.
-    - name: Checkout Gatekeeper to verify imported manifests
-      uses: actions/checkout@v2
-      with:
-        repository: open-policy-agent/gatekeeper
-        ref: ${{ env.GATEKEEPER_VERSION }}
-        path: gatekeeper
-        fetch-depth: 0 # Fetch all history for all tags and branches
-
-    # Build Gatekeeper manifests with some workarounds due to issue described
-    # above.
-    - name: Prepare Gatekeeper manifests for importing
-      working-directory: gatekeeper
-      run: |
-        make patch-image IMG=openpolicyagent/gatekeeper:${GATEKEEPER_VERSION}
-        sed -i '/--emit-\(audit\|admission\)-events/d' config/overlays/dev/manager_image_patch.yaml
-
     - name: Verify imported manifests
       run: |
-        make import-manifests IMPORT_MANIFESTS_PATH=${GITHUB_WORKSPACE}/gatekeeper
+        make import-manifests
         git diff --exit-code
 
     - name: Verify bindata
@@ -145,9 +114,18 @@ jobs:
     name: Run gatekeeper e2e tests
     runs-on: ubuntu-20.04
 
+    defaults:
+      run:
+        working-directory: gatekeeper-operator
+
+    strategy:
+      matrix:
+        NAMESPACE: ["gatekeeper-system"]
+
     steps:
     - uses: actions/checkout@v2
       with:
+        path: gatekeeper-operator
         fetch-depth: 0 # Fetch all history for all tags and branches
 
     # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
@@ -183,7 +161,23 @@ jobs:
         make docker-build IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA
         kind load docker-image localhost:5000/gatekeeper-operator:$GITHUB_SHA
 
+    - name: Set Up Environment Variables
+      run: |
+        GATEKEEPER_VERSION=$(awk '/^GATEKEEPER_VERSION/ {print $3}' Makefile)
+        echo "GATEKEEPER_VERSION=${GATEKEEPER_VERSION}" >> ${GITHUB_ENV}
+
+    # Checkout a local copy of Gatekeeper to use its bats e2e tests.
+    - name: Checkout Gatekeeper to verify imported manifests
+      uses: actions/checkout@v2
+      with:
+        repository: open-policy-agent/gatekeeper
+        ref: ${{ env.GATEKEEPER_VERSION }}
+        path: gatekeeper
+        fetch-depth: 0 # Fetch all history for all tags and branches
+
     - name: Gatekeeper E2E Tests
       run: |
-        make deploy-ci NAMESPACE=gatekeeper-system IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA
-        make test-gatekeeper-e2e ENABLE_MUTATION_TESTS=y
+        make deploy-ci NAMESPACE=${{ matrix.NAMESPACE }} IMG=localhost:5000/gatekeeper-operator:$GITHUB_SHA
+        make test-gatekeeper-e2e
+        cd ../gatekeeper
+        make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.NAMESPACE }} ENABLE_MUTATION_TESTS=1

Makefile

@@ -6,7 +6,7 @@ VERSION ?= v0.1.2
 # Replaces Operator version
 REPLACES_VERSION ?= $(VERSION)
 # Current Gatekeeper version
-GATEKEEPER_VERSION ?= v3.3.0
+GATEKEEPER_VERSION ?= v3.5.1
 # Default image repo
 REPO ?= quay.io/gatekeeper
 # Default bundle image tag
@@ -357,7 +357,6 @@ download-binaries:
 test-gatekeeper-e2e:
 	kubectl -n $(NAMESPACE) apply -f ./config/samples/gatekeeper_e2e_test.yaml
 	bats --version
-	bats -t test/bats/test.bats
 
 .PHONY: deploy-ci
 deploy-ci: install patch-image deploy

api/v1alpha1/gatekeeper_types.go

@@ -108,6 +108,8 @@ type WebhookConfig struct {
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 	// +optional
 	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+	// +optional
+	DisabledBuiltins []string `json:"disabledBuiltins,omitempty"`
 }
 
 // +kubebuilder:validation:Enum:=DEBUG;INFO;WARNING;ERROR

bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml

@@ -16,7 +16,7 @@ metadata:
               "replicas": 1
             },
             "image": {
-              "image": "docker.io/openpolicyagent/gatekeeper:v3.3.0"
+              "image": "docker.io/openpolicyagent/gatekeeper:v3.5.1"
             },
             "validatingWebhook": "Enabled",
             "webhook": {
@@ -295,7 +295,7 @@ spec:
                 - /manager
                 env:
                 - name: RELATED_IMAGE_GATEKEEPER
-                  value: openpolicyagent/gatekeeper:v3.3.0
+                  value: openpolicyagent/gatekeeper:v3.5.1
                 image: quay.io/gatekeeper/gatekeeper-operator:v0.1.2
                 imagePullPolicy: Always
                 livenessProbe:
@@ -361,6 +361,7 @@ spec:
         - apiGroups:
           - ""
           resources:
+          - resourcequotas
           - secrets
           - serviceaccounts
           - services
@@ -372,6 +373,15 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - policy
+          resources:
+          - poddisruptionbudgets
+          verbs:
+          - create
+          - delete
+          - update
+          - use
         - apiGroups:
           - rbac.authorization.k8s.io
           resources:

bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml

@@ -484,6 +484,10 @@ spec:
                 type: string
               webhook:
                 properties:
+                  disabledBuiltins:
+                    items:
+                      type: string
+                    type: array
                   emitAdmissionEvents:
                     enum:
                     - Enabled

config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml

@@ -767,6 +767,10 @@ spec:
                 type: string
               webhook:
                 properties:
+                  disabledBuiltins:
+                    items:
+                      type: string
+                    type: array
                   emitAdmissionEvents:
                     enum:
                     - Enabled

config/gatekeeper/admissionregistration.k8s.io_v1beta1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml → config/gatekeeper/admissionregistration.k8s.io_v1_mutatingwebhookconfiguration_gatekeeper-mutating-webhook-configuration.yaml

@@ -1,17 +1,24 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
   creationTimestamp: null
   name: gatekeeper-mutating-webhook-configuration
 webhooks:
-- clientConfig:
-    caBundle: Cg==
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
     service:
       name: gatekeeper-webhook-service
       namespace: gatekeeper-system
       path: /v1/mutate
   failurePolicy: Ignore
+  matchPolicy: Exact
   name: mutation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
   rules:
   - apiGroups:
     - '*'
@@ -22,3 +29,5 @@ webhooks:
     - UPDATE
     resources:
     - '*'
+  sideEffects: None
+  timeoutSeconds: 3

config/gatekeeper/admissionregistration.k8s.io_v1beta1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml → config/gatekeeper/admissionregistration.k8s.io_v1_validatingwebhookconfiguration_gatekeeper-validating-webhook-configuration.yaml

@@ -1,17 +1,20 @@
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   labels:
     gatekeeper.sh/system: "yes"
   name: gatekeeper-validating-webhook-configuration
 webhooks:
-- clientConfig:
-    caBundle: Cg==
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
     service:
       name: gatekeeper-webhook-service
       namespace: gatekeeper-system
       path: /v1/admit
   failurePolicy: Ignore
+  matchPolicy: Exact
   name: validation.gatekeeper.sh
   namespaceSelector:
     matchExpressions:
@@ -29,13 +32,16 @@ webhooks:
     - '*'
   sideEffects: None
   timeoutSeconds: 3
-- clientConfig:
-    caBundle: Cg==
+- admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
     service:
       name: gatekeeper-webhook-service
       namespace: gatekeeper-system
       path: /v1/admitlabel
   failurePolicy: Fail
+  matchPolicy: Exact
   name: check-ignore-label.gatekeeper.sh
   rules:
   - apiGroups: