diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index d6dff30db20..6b0b2ef4e39 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -25,12 +25,12 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Initialize CodeQL - uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd + uses: github/codeql-action/init@9278e421667d5d90a2839487a482448c4ec7df4d with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd + uses: github/codeql-action/autobuild@9278e421667d5d90a2839487a482448c4ec7df4d - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd + uses: github/codeql-action/analyze@9278e421667d5d90a2839487a482448c4ec7df4d diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index dc0f89db1bf..e06244fccea 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.5.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5 + uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4.4.0 diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index 564e1e5dc5a..83c5162bfbb 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -62,7 +62,7 @@ jobs: tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz echo "$(pwd)" >> $GITHUB_PATH env: - TRIVY_VERSION: "0.46.0" + TRIVY_VERSION: "0.57.0" - name: Run trivy on git repository run: | diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 163143ff0b1..8c265e9c0f4 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@9278e421667d5d90a2839487a482448c4ec7df4d # v3.27.2 with: sarif_file: results.sarif diff --git a/demo/scoped-enforcement-actions/README.md b/demo/scoped-enforcement-actions/README.md new file mode 100644 index 00000000000..97ca75134ff --- /dev/null +++ b/demo/scoped-enforcement-actions/README.md @@ -0,0 +1,13 @@ +> [!WARNING] +> This is a demo of an alpha feature and is subject to change. + +This demo shows: + +1. Configuring different validation actions for different enforcement points. +2. Integration with VAP as enforcement point such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled. + +Please refer to for pre-requisites and configuration steps. + +## Demo + +vap demo diff --git a/demo/scoped-enforcement-actions/demo.gif b/demo/scoped-enforcement-actions/demo.gif new file mode 100644 index 00000000000..bacf06f8db8 Binary files /dev/null and b/demo/scoped-enforcement-actions/demo.gif differ diff --git a/demo/scoped-enforcement-actions/demo.sh b/demo/scoped-enforcement-actions/demo.sh new file mode 100755 index 00000000000..30090f7d423 --- /dev/null +++ b/demo/scoped-enforcement-actions/demo.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +. ../../third_party/demo-magic/demo-magic.sh + +clear + +# cmd + +p "Deploy the constraint template" + +pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml" + +p "View Constraint template to see the K8sNativeValidation engine and CEL rules are added" + +pe "cat k8srequiredlabels_template_usevap.yaml" + +pe "kubectl apply -f owner_must_be_provided.yaml" + +pe "cat owner_must_be_provided.yaml" + +p "Notice that only audit and validation is added as enforcement points and VAP as enforcement point is not added in the constraint" + +p "Let's test the policy" + +pe "kubectl create ns test" + +p "Note the namespace was blocked by the Gatekeeper webhook as evaluated by the CEL rules" + +p "" + +p "Now let's add the VAP as enforcement point and update the constraint" + +pe "kubectl apply -f owner_must_be_provided_usevap.yaml" + +pe "cat owner_must_be_provided_usevap.yaml" + +p "VAPBinding with validation action warn should get created automatically with inclusion of VAP as enforcement point with warn action since ConstraintTemplate has CEL and intent to use VAP" + +pe "kubectl get ValidatingAdmissionPolicy" + +pe "kubectl get ValidatingAdmissionPolicyBinding" + +p "Let's test the policy" + +pe "kubectl create ns test" + +p "Note the warning is generated by the ValidatingAdmissionPolicy admission controller and the namespace is blocked by the Gatekeeper webhook as evaluated by the CEL rules" + +p "THE END" + +kubectl delete constrainttemplates --all diff --git a/demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml b/demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml new file mode 100644 index 00000000000..169afbf9d0a --- /dev/null +++ b/demo/scoped-enforcement-actions/k8srequiredlabels_template_usevap.yaml @@ -0,0 +1,36 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + code: + - engine: K8sNativeValidation + source: + generateVAP: true + validations: + - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels))' + messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")' + - expression: '(has(variables.anyObject.metadata) && variables.params.labels.all(entry, has(variables.anyObject.metadata.labels) && entry.key in variables.anyObject.metadata.labels && string(variables.anyObject.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))' + message: "regex mismatch" diff --git a/demo/scoped-enforcement-actions/owner_must_be_provided.yaml b/demo/scoped-enforcement-actions/owner_must_be_provided.yaml new file mode 100644 index 00000000000..da1b7c2d230 --- /dev/null +++ b/demo/scoped-enforcement-actions/owner_must_be_provided.yaml @@ -0,0 +1,20 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: all-must-have-owner +spec: + enforcementAction: scoped + scopedEnforcementActions: + - action: deny + enforcementPoints: + - name: validation.gatekeeper.sh + - name: audit.gatekeeper.sh + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + message: "All namespaces must have an `owner` label that points to your company username" + labels: + - key: owner + allowedRegex: "^[a-zA-Z]+.agilebank.demo$" diff --git a/demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml b/demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml new file mode 100644 index 00000000000..eff947b9b10 --- /dev/null +++ b/demo/scoped-enforcement-actions/owner_must_be_provided_usevap.yaml @@ -0,0 +1,23 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequiredLabels +metadata: + name: all-must-have-owner +spec: + enforcementAction: scoped + scopedEnforcementActions: + - action: deny + enforcementPoints: + - name: validation.gatekeeper.sh + - name: audit.gatekeeper.sh + - action: warn + enforcementPoints: + - name: vap.k8s.io + match: + kinds: + - apiGroups: [""] + kinds: ["Namespace"] + parameters: + message: "All namespaces must have an `owner` label that points to your company username" + labels: + - key: owner + allowedRegex: "^[a-zA-Z]+.agilebank.demo$" diff --git a/website/docs/enforcement-points.md b/website/docs/enforcement-points.md index 0b7f226b83e..7661b1922ba 100644 --- a/website/docs/enforcement-points.md +++ b/website/docs/enforcement-points.md @@ -104,3 +104,5 @@ spec: - name: "audit.gatekeeper.sh" ... ``` + +Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work. diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index a6e3f53717c..7482d73722c 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -116,7 +116,7 @@ With this new engine and source added to the constraint template, now Gatekeeper For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook. The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper -`--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. +`--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template. @@ -174,3 +174,5 @@ spec: - name: "validation.gatekeeper.sh" ... ``` + +To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) diff --git a/website/versioned_docs/version-v3.17.x/enforcement-points.md b/website/versioned_docs/version-v3.17.x/enforcement-points.md index 0b7f226b83e..7661b1922ba 100644 --- a/website/versioned_docs/version-v3.17.x/enforcement-points.md +++ b/website/versioned_docs/version-v3.17.x/enforcement-points.md @@ -104,3 +104,5 @@ spec: - name: "audit.gatekeeper.sh" ... ``` + +Checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions) to understand how enforcement points and actions work. diff --git a/website/versioned_docs/version-v3.17.x/validating-admission-policy.md b/website/versioned_docs/version-v3.17.x/validating-admission-policy.md index 990ea9fd351..44459767089 100644 --- a/website/versioned_docs/version-v3.17.x/validating-admission-policy.md +++ b/website/versioned_docs/version-v3.17.x/validating-admission-policy.md @@ -113,7 +113,7 @@ With this new engine and source added to the constraint template, now Gatekeeper For some policies, you may want admission requests to be handled by the K8s Validating Admission Controller instead of the Gatekeeper admission webhook. The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper -`--default-create-vap-binding-for-constraint` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. +`--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `false` while the feature is still in alpha. To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template. @@ -171,3 +171,5 @@ spec: - name: "validation.gatekeeper.sh" ... ``` + +To see this in action, checkout this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/scoped-enforcement-actions)