From 6dfc0c69e51c985b07243c10bc2dbd9323e74f96 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 7 Nov 2024 19:00:42 -0800 Subject: [PATCH] feat: moving CEL engine to GA (#3685) Signed-off-by: Jaydip Gabani --- cmd/build/helmify/static/README.md | 2 +- cmd/gator/test/test.go | 2 +- main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 +- website/docs/validating-admission-policy.md | 7 +++++-- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 92a7fa72897..5a7e03cdc9e 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -168,7 +168,7 @@ information._ | emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` | | logStatsAdmission | (alpha) Log stats for admission webhook | `false` | | logStatsAudit | (alpha) Log stats metrics for the audit run | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` | | defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` | | defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` | | defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` | diff --git a/cmd/gator/test/test.go b/cmd/gator/test/test.go index 209fba403b5..4c11e7d9198 100644 --- a/cmd/gator/test/test.go +++ b/cmd/gator/test/test.go @@ -73,7 +73,7 @@ func init() { Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.") Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.") - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "enable the validating admission policy driver") Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage)) } diff --git a/main.go b/main.go index e7f035ef736..add56d97c49 100644 --- a/main.go +++ b/main.go @@ -114,7 +114,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") + enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 92a7fa72897..5a7e03cdc9e 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -168,7 +168,7 @@ information._ | emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` | | logStatsAdmission | (alpha) Log stats for admission webhook | `false` | | logStatsAudit | (alpha) Log stats metrics for the audit run | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` | | defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` | | defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` | | defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` | diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index 990ea9fd351..a6e3f53717c 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -4,8 +4,11 @@ title: Integration with Kubernetes Validating Admission Policy --- Validating Admission Policy CEL validation in Gatekeeper: -Feature State: Gatekeeper version v3.17 (beta) -❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --enable-k8s-native-validation=false` to disable evaluating Validating Admission Policy CEL in constraint templates. +Feature State: Gatekeeper version v3.18 (stable) + +:::note +Set --enable-k8s-native-validation=false` to disable evaluating Validating Admission Policy CEL in constraint templates. +::: VAP management through Gatekeeper: Feature State: Gatekeeper version v3.16 (alpha)