feat: adding scopedenforcementactions

[JaydipGabani]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #2266 #2945

Special notes for your reviewer:
Depends on #frameworks/403

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 52.83843% with 108 lines in your changes missing coverage. Please review.

Project coverage is 48.25%. Comparing base (3350319) to head (ee74b6c).
Report is 112 commits behind head on master.

Files	Patch %	Lines
pkg/webhook/policy.go	26.31%	42 Missing ⚠️
pkg/audit/manager.go	3.12%	31 Missing ⚠️
pkg/controller/constraint/constraint_controller.go	30.30%	23 Missing ⚠️
pkg/util/enforcement_action.go	87.87%	4 Missing and 4 partials ⚠️
cmd/gator/test/test.go	0.00%	3 Missing ⚠️
pkg/gator/test/test.go	66.66%	1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (ee74b6c). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (3350319)	HEAD (ee74b6c)
unittests	2	1

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3321      +/-   ##
==========================================
- Coverage   54.49%   48.25%   -6.25%     
==========================================
  Files         134      219      +85     
  Lines       12329    14989    +2660     
==========================================
+ Hits         6719     7233     +514     
- Misses       5116     6946    +1830     
- Partials      494      810     +316     

Flag	Coverage Δ
unittests	48.25% <52.83%> (-6.25%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sozercan]

webhook?

[JaydipGabani]

can you clarify a little more here wdym? @sozercan

This is a test for constraint without audit enforcementPoint.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[maxsmythe]

Much of this logic goes away with #3398

[JaydipGabani]

Agreed.

[maxsmythe]

I don't think we can change the schema here without breaking backwards compatibility.

[maxsmythe]

Backwards compatibility concern?

[ritazh]

To ensure backwards compatibility, we could add a new EnforcementActions instead and not touch the existing field. wdyt? same would apply for logs and events.

[maxsmythe]

This is a backwards compatibility concern because it affects semantic logging. We could just log one message per enforcement action, though. Or add a new field (though what value would enforcementAction have?)

[JaydipGabani]

We can probably serialize the array. Something like deny/warn in-case if enforcemet point is duplicated in scopedEA config.

[ritazh]

to ensure backwards compat, the existing enforcementAction should remain untouched. lets create a new field instead.

[ritazh]

This error is when updating constraint status failed right? please update the log message.

[maxsmythe]

We should probably just calculate these errors directly, rather than packing multiple values into a bool and then unpacking them again.

[maxsmythe]

second instance of a concatenated string (backwards compatibility concern)

[JaydipGabani]

Will remove this if needed after we reach to a conclusion on - open-policy-agent/frameworks#403 (comment)

[JaydipGabani]

remove this if need be after we reach conclusion on - open-policy-agent/frameworks#403 (comment)

[ritazh]

in this test, when webhookep has both action warn and deny, which one wins?

[JaydipGabani]

if both the actions are there ultimatly the request is denied but output containes warning and deny and looks like this -

Warning: [cm-must-have-gk-scoped] you must provide labels: {"gatekeeper"}
Error from server (Forbidden): error when creating "/mount/d/go/src/github.com/open-policy-agent/gatekeeper/test/bats/tests/bad/bad_cm_scoped.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [cm-must-have-gk-scoped] you must provide labels: {"gatekeeper"}

[ritazh]

log error

[JaydipGabani]

Logging error

[ritazh]

log error

[ritazh]

is there a test that validates this error is written to the constraint's status errors?

[JaydipGabani]

Added the test constrainttemplate_controller_test.go#L811

[ritazh]

LGTM

[ritazh]

Suggested change

By default, a constraint will be enforced at all enforcement points with common enforcement action defined in `spec.enforcementAction`. However, you can chose to enforce a constraint at specific enforcement points different actions using `spec.scopedEnforcementActions`. Below are the different examples and use cases that utilizes different enforcement actions for different enforcement points.

By default, a constraint will be enforced at all enforcement points with common enforcement action defined in `spec.enforcementAction`. However, you can choose to enforce a constraint at specific enforcement points with different actions using `enforcementAction: scoped` and `spec.scopedEnforcementActions`. Below are examples and use cases that utilize different enforcement actions for different enforcement points.

[ritazh]

Suggested change

	`spec.enforcementAction: scoped` is needed to customize specific enforcement point/enforcement action behavior. If `spec.enforcementAction: scoped` is not provided, `spec.scopedEnforcementActions` is ignored and defined `enforcementAction` will be enforced at all enforcement points.
	`spec.enforcementAction: scoped` is needed to customize specific enforcement point/enforcement action behavior. If `spec.enforcementAction: scoped` is not provided, `spec.scopedEnforcementActions` is ignored and the provided `enforcementAction` will be applied across all enforcement points.

[ritazh]

Suggested change

You are trying out a new constraint template, and you want deny violating resources in shift-left testing, but do not want to block any resources when admitted to cluster to avoid faulty rejects. You may want to use `deny` action for `gator.gatekeeper.sh` enforcement point and `warn` for `validation.gatekeepet.sh`. The below constraint satisfies this use case.

You are trying out a new constraint template, and you want to deny violating resources in shift-left testing, but do not want to block any resources admitted to clusters to reduce impact for faulty rejections. You may want to use `deny` action for the `gator.gatekeeper.sh` shift-left enforcement point and `warn` for `the validation.gatekeepet.sh` admission webhook enforcement point. The below constraint satisfies this use case.

[ritazh]

Add a note for:

The audit enforcement point is not included unless explicitly added to scopedEnforcementActions.enforcementPoints or if scopedEnforcementActions.enforcementPoints is set to "*"

[ritazh]

Suggested change

	To summarize, these are potential options when running Gatekeeper:
	In summary, these are potential options when running Gatekeeper:

[ritazh]

Suggested change

Constraints will follow the behavior defined in `spec.scopedEnforcementActions`. When `spec.scopedEnforcementAction` is not defined, constraints will follow behavior defined by the flag `--default-create-vap-binding-for-constraints`. By default, `--default-create-vap-binding-for-constraints` is set to `false`.

Gatekeeper determines the intended enforcement actions for a given enforcement point by evaluating what is provided in `spec.scopedEnforcementActions` and `spec.enforcementAction: scoped` in the constraint. If these values are not provided in the constraint, then Gatekeeper will follow behavior defined by the flag `--default-create-vap-binding-for-constraints`. By default, `--default-create-vap-binding-for-constraints` is set to `false`.

[maxsmythe]

LGTM

[sozercan]

Great job! LGTM