Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/go_modules/github.com/prometheu…
Browse files Browse the repository at this point in the history
…s/client_golang-1.20.5
  • Loading branch information
sozercan authored Nov 13, 2024
2 parents b15c2e6 + cf4a480 commit 89f1509
Show file tree
Hide file tree
Showing 36 changed files with 637 additions and 298 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Initialize CodeQL
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/init@9278e421667d5d90a2839487a482448c4ec7df4d
with:
languages: go

- name: Autobuild
uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/autobuild@9278e421667d5d90a2839487a482448c4ec7df4d

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/analyze@9278e421667d5d90a2839487a482448c4ec7df4d
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.5.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5
uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
2 changes: 1 addition & 1 deletion .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
env:
TRIVY_VERSION: "0.46.0"
TRIVY_VERSION: "0.57.0"

- name: Run trivy on git repository
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
uses: github/codeql-action/upload-sarif@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
with:
sarif_file: results.sarif
4 changes: 2 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:2341ddffd3eddb72e0aebab476222fbc24d4a507c4d490a51892ec861bdb71fc AS builder
FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:0e3377d7a71c1fcb31cdc3215292712e83baec44e4792aeaa75e503cfcae16ec AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand All @@ -18,7 +18,7 @@ COPY . .

RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager

FROM gcr.io/distroless/static-debian12@sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea
FROM gcr.io/distroless/static-debian12@sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196

WORKDIR /
COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager .
Expand Down
3 changes: 1 addition & 2 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --disable-opa-builtin=http.send\
\n - --log-mutations\
\n - --mutation-annotations\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
\n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
\n - --log-level=${LOG_LEVEL}\
\n---\
\napiVersion: apps/v1\
Expand All @@ -94,6 +92,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --operation=audit\
\n - --operation=status\
\n - --operation=mutation-status\
\n - --operation=generate\
\n - --audit-chunk-size=500\
\n - --logtostderr\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
Expand Down
2 changes: 1 addition & 1 deletion build/tooling/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM golang:1.23-bookworm@sha256:2341ddffd3eddb72e0aebab476222fbc24d4a507c4d490a51892ec861bdb71fc
FROM golang:1.23-bookworm@sha256:0e3377d7a71c1fcb31cdc3215292712e83baec44e4792aeaa75e503cfcae16ec

RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/[email protected]
RUN GO111MODULE=on go install k8s.io/code-generator/cmd/[email protected]
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ spec:
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
- --operation=generate
- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS
- HELMSUBST_MUTATION_STATUS_ENABLED_ARG
- --logtostderr
Expand All @@ -192,6 +193,7 @@ spec:
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- HELMSUBST_DEPLOYMENT_DEFAULT_CREATE_VAP_FOR_TEMPLATES
- HELMSUBST_DEPLOYMENT_DEFAULT_CREATE_VAPB_FOR_CONSTRAINTS
- HELMSUBST_DEPLOYMENT_AUDIT_DEFAULT_WAIT_VAPB_GENERATION
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""
ports:
Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/replacements.go
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,10 @@ var replacements = map[string]string{

"- HELMSUBST_MUTATION_STATUS_ENABLED_ARG": `{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}`,

"- HELMSUBST_DEPLOYMENT_AUDIT_DEFAULT_WAIT_VAPB_GENERATION": `{{ if hasKey .Values "defaultWaitForVAPBGeneration"}}
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
{{- end }}`,

"- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS": `{{ if hasKey .Values.audit "enablePubsub" }}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
{{- end }}
Expand Down
3 changes: 2 additions & 1 deletion cmd/build/helmify/static/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,9 +168,10 @@ information._
| emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` |
| logStatsAdmission | (alpha) Log stats for admission webhook | `false` |
| logStatsAudit | (alpha) Log stats metrics for the audit run | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` |
| defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` |
| defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` |
| defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
2 changes: 1 addition & 1 deletion cmd/gator/test/test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func init() {
Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML))
Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.")
Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.")
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver")
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "enable the validating admission policy driver")
Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage))
}
Expand Down
2 changes: 1 addition & 1 deletion crd.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.31.1 AS builder
FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.31.2 AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand Down
13 changes: 13 additions & 0 deletions demo/scoped-enforcement-actions/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
> [!WARNING]
> This is a demo of an alpha feature and is subject to change.
This demo shows:

1. Configuring different validation actions for different enforcement points.
2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled.

Please refer to <https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy> for pre-requisites and configuration steps.

## Demo

<img width= "900" height="500" src="demo.gif" alt="vap demo">
Binary file added demo/scoped-enforcement-actions/demo.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
51 changes: 51 additions & 0 deletions demo/scoped-enforcement-actions/demo.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash

. ../../third_party/demo-magic/demo-magic.sh

clear

# cmd

p "Deploy the constraint template"

pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml"

p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added"

pe "cat k8srequiredlabels_template_usevap.yaml"

pe "kubectl apply -f owner_must_be_provided.yaml"

pe "cat owner_must_be_provided.yaml"

p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p ""

p "Now let's add the VAP as enforcement point and update the constraint"

pe "kubectl apply -f owner_must_be_provided_usevap.yaml"

pe "cat owner_must_be_provided_usevap.yaml"

p "VAPBinding with validation action warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP"

pe "kubectl get ValidatingAdmissionPolicy"

pe "kubectl get ValidatingAdmissionPolicyBinding"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p "THE END"

kubectl delete constrainttemplates --all
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
generateVAP: true
validations:
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))'
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
message: "regex mismatch"
20 changes: 20 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
23 changes: 23 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
- action: warn
enforcementPoints:
- name: vap.k8s.io
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
4 changes: 2 additions & 2 deletions gator.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:2341ddffd3eddb72e0aebab476222fbc24d4a507c4d490a51892ec861bdb71fc AS builder
FROM --platform=$BUILDPLATFORM golang:1.23-bookworm@sha256:0e3377d7a71c1fcb31cdc3215292712e83baec44e4792aeaa75e503cfcae16ec AS builder

ARG TARGETPLATFORM
ARG TARGETOS
Expand All @@ -17,7 +17,7 @@ WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/cmd/gator

RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o /gator

FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-debian12@sha256:69830f29ed7545c762777507426a412f97dad3d8d32bae3e74ad3fb6160917ea AS build
FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-debian12@sha256:f4a57e8ffd7ba407bdd0eb315bb54ef1f21a2100a7f032e9102e4da34fe7c196 AS build
USER 65532:65532
COPY --from=builder --chown=65532:65532 /gator /gator
ENTRYPOINT ["/gator"]
12 changes: 6 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,11 @@ require (
google.golang.org/protobuf v1.34.2
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
k8s.io/api v0.30.5
k8s.io/apiextensions-apiserver v0.30.5
k8s.io/apimachinery v0.30.5
k8s.io/apiserver v0.30.5
k8s.io/client-go v0.30.5
k8s.io/api v0.30.6
k8s.io/apiextensions-apiserver v0.30.6
k8s.io/apimachinery v0.30.6
k8s.io/apiserver v0.30.6
k8s.io/client-go v0.30.6
k8s.io/klog/v2 v2.120.1
k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0
oras.land/oras-go v1.2.5
Expand Down Expand Up @@ -150,7 +150,7 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20240722135656-d784300faade // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
k8s.io/component-base v0.30.5 // indirect
k8s.io/component-base v0.30.6 // indirect
k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
Expand Down
Loading

0 comments on commit 89f1509

Please sign in to comment.