Skip to content

Commit

Permalink
chore: adding scoped ea with vap ep demo (#3687)
Browse files Browse the repository at this point in the history
Signed-off-by: Jaydip Gabani <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>
  • Loading branch information
JaydipGabani and sozercan authored Nov 12, 2024
1 parent 7b77689 commit 4c6e2d4
Show file tree
Hide file tree
Showing 10 changed files with 151 additions and 0 deletions.
13 changes: 13 additions & 0 deletions demo/scoped-enforcement-actions/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
> [!WARNING]
> This is a demo of an alpha feature and is subject to change.
This demo shows:

1. Configuring different validation actions for different enforcement points.
2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled.

Please refer to <https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy> for pre-requisites and configuration steps.

## Demo

<img width= "900" height="500" src="demo.gif" alt="vap demo">
Binary file added demo/scoped-enforcement-actions/demo.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
51 changes: 51 additions & 0 deletions demo/scoped-enforcement-actions/demo.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash

. ../../third_party/demo-magic/demo-magic.sh

clear

# cmd

p "Deploy the constraint template"

pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml"

p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added"

pe "cat k8srequiredlabels_template_usevap.yaml"

pe "kubectl apply -f owner_must_be_provided.yaml"

pe "cat owner_must_be_provided.yaml"

p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p ""

p "Now let's add the VAP as enforcement point and update the constraint"

pe "kubectl apply -f owner_must_be_provided_usevap.yaml"

pe "cat owner_must_be_provided_usevap.yaml"

p "VAPBinding with validation action warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP"

pe "kubectl get ValidatingAdmissionPolicy"

pe "kubectl get ValidatingAdmissionPolicyBinding"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p "THE END"

kubectl delete constrainttemplates --all
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
generateVAP: true
validations:
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))'
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
message: "regex mismatch"
20 changes: 20 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
23 changes: 23 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
- action: warn
enforcementPoints:
- name: vap.k8s.io
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
2 changes: 2 additions & 0 deletions website/docs/enforcement-points.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,5 @@ spec:
- name: "audit.gatekeeper.sh"
...
```

Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
2 changes: 2 additions & 0 deletions website/docs/validating-admission-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -174,3 +174,5 @@ spec:
- name: "validation.gatekeeper.sh"
...
```

To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.17.x/enforcement-points.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,5 @@ spec:
- name: "audit.gatekeeper.sh"
...
```

Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
Original file line number Diff line number Diff line change
Expand Up @@ -171,3 +171,5 @@ spec:
- name: "validation.gatekeeper.sh"
...
```

To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)

0 comments on commit 4c6e2d4

Please sign in to comment.