Skip to content

Commit

Permalink
Merge branch 'master' into dependabot/docker/golang-0e3377d
Browse files Browse the repository at this point in the history
  • Loading branch information
sozercan authored Nov 13, 2024
2 parents 968fc1d + 69542de commit b3dfb59
Show file tree
Hide file tree
Showing 14 changed files with 159 additions and 8 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Initialize CodeQL
uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/init@9278e421667d5d90a2839487a482448c4ec7df4d
with:
languages: go

- name: Autobuild
uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/autobuild@9278e421667d5d90a2839487a482448c4ec7df4d

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd
uses: github/codeql-action/analyze@9278e421667d5d90a2839487a482448c4ec7df4d
2 changes: 1 addition & 1 deletion .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.5.2
- name: 'Dependency Review'
uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5
uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0
2 changes: 1 addition & 1 deletion .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ jobs:
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
env:
TRIVY_VERSION: "0.46.0"
TRIVY_VERSION: "0.57.0"

- name: Run trivy on git repository
run: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,6 @@ jobs:

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
uses: github/codeql-action/upload-sarif@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2
with:
sarif_file: results.sarif
13 changes: 13 additions & 0 deletions demo/scoped-enforcement-actions/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
> [!WARNING]
> This is a demo of an alpha feature and is subject to change.
This demo shows:

1. Configuring different validation actions for different enforcement points.
2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled.

Please refer to <https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy> for pre-requisites and configuration steps.

## Demo

<img width= "900" height="500" src="demo.gif" alt="vap demo">
Binary file added demo/scoped-enforcement-actions/demo.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
51 changes: 51 additions & 0 deletions demo/scoped-enforcement-actions/demo.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash

. ../../third_party/demo-magic/demo-magic.sh

clear

# cmd

p "Deploy the constraint template"

pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml"

p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added"

pe "cat k8srequiredlabels_template_usevap.yaml"

pe "kubectl apply -f owner_must_be_provided.yaml"

pe "cat owner_must_be_provided.yaml"

p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p ""

p "Now let's add the VAP as enforcement point and update the constraint"

pe "kubectl apply -f owner_must_be_provided_usevap.yaml"

pe "cat owner_must_be_provided_usevap.yaml"

p "VAPBinding with validation action warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP"

pe "kubectl get ValidatingAdmissionPolicy"

pe "kubectl get ValidatingAdmissionPolicyBinding"

p "Let's test the policy"

pe "kubectl create ns test"

p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules"

p "THE END"

kubectl delete constrainttemplates --all
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
message:
type: string
labels:
type: array
items:
type: object
properties:
key:
type: string
allowedRegex:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
code:
- engine: K8sNativeValidation
source:
generateVAP: true
validations:
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))'
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
- expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))'
message: "regex mismatch"
20 changes: 20 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
23 changes: 23 additions & 0 deletions demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
name: all-must-have-owner
spec:
enforcementAction: scoped
scopedEnforcementActions:
- action: deny
enforcementPoints:
- name: validation.gatekeeper.sh
- name: audit.gatekeeper.sh
- action: warn
enforcementPoints:
- name: vap.k8s.io
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
message: "All namespaces must have an `owner` label that points to your company username"
labels:
- key: owner
allowedRegex: "^[a-zA-Z]+.agilebank.demo$"
2 changes: 2 additions & 0 deletions website/docs/enforcement-points.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,5 @@ spec:
- name: "audit.gatekeeper.sh"
...
```

Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
4 changes: 3 additions & 1 deletion website/docs/validating-admission-policy.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ With this new engine and source added to the constraint template, now Gatekeeper
For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook.
The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper
`--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha.
`--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha.

To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template.

Expand Down Expand Up @@ -174,3 +174,5 @@ spec:
- name: "validation.gatekeeper.sh"
...
```

To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)
2 changes: 2 additions & 0 deletions website/versioned_docs/version-v3.17.x/enforcement-points.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,3 +104,5 @@ spec:
- name: "audit.gatekeeper.sh"
...
```

Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work.
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ With this new engine and source added to the constraint template, now Gatekeeper
For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook.
The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper
`--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha.
`--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha.

To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template.

Expand Down Expand Up @@ -171,3 +171,5 @@ spec:
- name: "validation.gatekeeper.sh"
...
```

To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)

0 comments on commit b3dfb59

Please sign in to comment.