Skip to content

Commit

Permalink
fix: adding flag to validate rego for templates (#3026)
Browse files Browse the repository at this point in the history
Signed-off-by: Jaydip Gabani <[email protected]>
Co-authored-by: Sertaç Özercan <[email protected]>
  • Loading branch information
JaydipGabani and sozercan authored Oct 4, 2023
1 parent 40c43f2 commit 976ae01
Show file tree
Hide file tree
Showing 7 changed files with 34 additions and 5 deletions.
4 changes: 2 additions & 2 deletions demo/k8s-validating-admission-policy/README.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
This is a demo of a prototype-stage feature and is subject to change.

The demo will not work unless the --experimental-enable-k8s-native-validation is
set.
The demo will not work unless the `--experimental-enable-k8s-native-validation`` is
set. Please set `--validate-template-rego` to `false` if using Gatekeeper version 3.13.1+ but before 3.16.0.

Note that the contents of the constraint template have changed since cutting
Gatekeeper's v3.13.0 release. To try this with the development build of
Expand Down
6 changes: 6 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,12 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle

cfArgs := []constraintclient.Opt{constraintclient.Targets(&target.K8sValidationTarget{})}

if *webhook.ValidateTemplateRego && *enableK8sCel {
err := fmt.Errorf("cannot validate template rego when K8s cel is enabled. Please disable K8s cel by setting --experimental-enable-k8s-native-validation=false or disable template rego validation by setting --validate-template-rego=false")
setupLog.Error(err, "unable to set up OPA and K8s native drivers")
return err
}

if *enableK8sCel {
// initialize K8sValidation
k8sDriver, err := k8scel.New()
Expand Down
21 changes: 20 additions & 1 deletion pkg/webhook/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
externaldataUnversioned "github.com/open-policy-agent/frameworks/constraint/pkg/apis/externaldata/unversioned"
constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers"
"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
"github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
rtypes "github.com/open-policy-agent/frameworks/constraint/pkg/types"
Expand Down Expand Up @@ -68,7 +69,10 @@ import (
// https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response
const httpStatusWarning = 299

var maxServingThreads = flag.Int("max-serving-threads", -1, "cap the number of threads handling non-trivial requests, -1 caps the number of threads to GOMAXPROCS. Defaults to -1.")
var (
ValidateTemplateRego = flag.Bool("validate-template-rego", true, "validate Rego code for constraint templates. Defaults to true. This flag will be removed in Gatekeeper v3.16 and cannot be used if `experimental-enable-k8s-native-validation` flag is set. Use Gator to validate in shift left manner to avoid impact with this behavior change.). Use Gator to validate in shift left manner to avoid impact with this behavior change.")
maxServingThreads = flag.Int("max-serving-threads", -1, "cap the number of threads handling non-trivial requests, -1 caps the number of threads to GOMAXPROCS. Defaults to -1.")
)

func init() {
AddToManagerFuncs = append(AddToManagerFuncs, AddPolicyWebhook)
Expand Down Expand Up @@ -382,6 +386,21 @@ func (h *validationHandler) validateTemplate(ctx context.Context, req *admission
return true, err
}

// TODO: This is a temporary check for rego to give enough time to users to migrate to gator for validation. To be removed before 3.16.
if *ValidateTemplateRego {
// Create a temporary Driver and attempt to add the Template to it. This
// ensures the Rego code both parses and compiles.
d, err := rego.New()
if err != nil {
return false, fmt.Errorf("unable to create Driver: %w", err)
}

err = d.AddTemplate(ctx, unversioned)
if err != nil {
return true, err
}
}

return false, nil
}

Expand Down
2 changes: 2 additions & 0 deletions website/docs/constrainttemplates.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ ConstraintTemplates define a way to validate some set of Kubernetes objects in G
1. [Rego](https://www.openpolicyagent.org/docs/latest/#rego) code that defines a policy violation
2. The schema of the accompanying `Constraint` object, which represents an instantiation of a `ConstraintTemplate`

> ❗ Validation of Rego for constraint templates is enabled by default. Set `validate-template-rego` flag to `false` to disable rego validation if you want to use `experimental-enable-k8s-native-validation` Kubernetes CEL based policies as well. This flag will be removed from Gatekeeper 3.16 and later, please make use of [Gator](https://open-policy-agent.github.io/gatekeeper/website/docs/gator) to validate constraint template in shift left manner to avoid any impact with this behavior change.
## `v1` Constraint Template

In release version 3.6.0, Gatekeeper included the `v1` version of `ConstraintTemplate`. Unlike past versions of `ConstraintTemplate`, `v1` requires the Constraint schema section to be [structural](https://kubernetes.io/blog/2019/06/20/crd-structural-schema/).
Expand Down
2 changes: 1 addition & 1 deletion website/docs/validating-admission-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ title: Integration with Kubernetes Validating Admission Policy
`Feature State`: Gatekeeper version v3.13+ (pre-alpha)

> ❗ This feature is pre-alpha, subject to change (feedback is welcome!). It is disabled by default. To enable the feature,
> set the `experimental-enable-k8s-native-validation` flag to true and use the [development build of Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/install/#deploying-a-release-using-development-image).
> set the `experimental-enable-k8s-native-validation` flag to true and use the [development build of Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/install/#deploying-a-release-using-development-image). Do not use this feature with `validate-template-rego` flag enabled, as the policies with CEL would get rejected with Rego compilation error.
## Description

Expand Down
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.13.x/constrainttemplates.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ ConstraintTemplates define a way to validate some set of Kubernetes objects in G
1. [Rego](https://www.openpolicyagent.org/docs/latest/#rego) code that defines a policy violation
2. The schema of the accompanying `Constraint` object, which represents an instantiation of a `ConstraintTemplate`

> ❗ Validation of Rego for constraint templates is enabled by default. Set `validate-template-rego` flag to `false` to disable rego validation if you want to use `experimental-enable-k8s-native-validation` Kubernetes CEL based policies as well. This flag will be removed from Gatekeeper 3.16 and later, please make use of [Gator](https://open-policy-agent.github.io/gatekeeper/website/docs/gator) to validate constraint template in shift left manner to avoid any impact with this behavior change.
## `v1` Constraint Template

In release version 3.6.0, Gatekeeper included the `v1` version of `ConstraintTemplate`. Unlike past versions of `ConstraintTemplate`, `v1` requires the Constraint schema section to be [structural](https://kubernetes.io/blog/2019/06/20/crd-structural-schema/).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ title: Integration with Kubernetes Validating Admission Policy
`Feature State`: Gatekeeper version v3.13+ (pre-alpha)

> ❗ This feature is pre-alpha, subject to change (feedback is welcome!). It is disabled by default. To enable the feature,
> set the `experimental-enable-k8s-native-validation` flag to true and use the [development build of Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/install/#deploying-a-release-using-development-image).
> set the `experimental-enable-k8s-native-validation` flag to true and use the [development build of Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/docs/install/#deploying-a-release-using-development-image). Do not use this feature with `validate-template-rego` flag enabled, as the policies with CEL would get rejected with Rego compilation error.
## Description

Expand Down

0 comments on commit 976ae01

Please sign in to comment.