From 3c0e5fdd4309905d6e9414b2a2be09f92a90d614 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 7 Aug 2024 20:56:08 +0000 Subject: [PATCH 1/8] moving experimental-enable-k8s-native-validation to beta and turning it on by default Signed-off-by: Jaydip Gabani --- Makefile | 2 -- cmd/build/helmify/static/README.md | 2 +- cmd/build/helmify/static/values.yaml | 2 +- cmd/gator/test/test.go | 2 +- cmd/gator/verify/verify.go | 4 ++-- main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 +- manifest_staging/charts/gatekeeper/values.yaml | 2 +- website/docs/validating-admission-policy.md | 13 ------------- 9 files changed, 8 insertions(+), 23 deletions(-) diff --git a/Makefile b/Makefile index 233c501181b..a7d757063c6 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --mutation-annotations\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ -\n - --experimental-enable-k8s-native-validation\ \n - --log-level=${LOG_LEVEL}\ \n---\ \napiVersion: apps/v1\ @@ -100,7 +99,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ \n - --experimental-enable-k8s-native-validation\ -\n - --log-level=${LOG_LEVEL}\ \n" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index cc466a1b060..5b74a09d774 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `false` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 76862de9a3b..d26f6f2fe7d 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m -enableK8sNativeValidation: false +enableK8sNativeValidation: true defaultCreateVAPForTemplates: false defaultCreateVAPBindingForConstraints: false image: diff --git a/cmd/gator/test/test.go b/cmd/gator/test/test.go index 58f911776e9..25ccaf0561b 100644 --- a/cmd/gator/test/test.go +++ b/cmd/gator/test/test.go @@ -73,7 +73,7 @@ func init() { Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.") Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.") - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false, "PROTOTYPE (not stable): enable the validating admission policy driver") + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage)) } diff --git a/cmd/gator/verify/verify.go b/cmd/gator/verify/verify.go index 74c4b243911..182770fb3ab 100644 --- a/cmd/gator/verify/verify.go +++ b/cmd/gator/verify/verify.go @@ -47,8 +47,8 @@ func init() { `print extended test output`) Cmd.Flags().BoolVarP(&includeTrace, "trace", "t", false, `include a trace for the underlying constraint framework evaluation`) - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false, - `PROTOTYPE (not stable): enable the validating admission policy driver`) + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", true, + `Beta: enable the validating admission policy driver`) } // Cmd is the gator verify subcommand. diff --git a/main.go b/main.go index 6cedb8155a1..65c545463c3 100644 --- a/main.go +++ b/main.go @@ -114,7 +114,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver") + enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index cc466a1b060..5b74a09d774 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `false` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 76862de9a3b..d26f6f2fe7d 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m -enableK8sNativeValidation: false +enableK8sNativeValidation: true defaultCreateVAPForTemplates: false defaultCreateVAPBindingForConstraints: false image: diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index 81d1a26b5b3..fa230f0abbf 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -54,22 +54,9 @@ Find out more about different [enforcement points](enforcement-points.md) runtimeConfig: admissionregistration.k8s.io/v1beta1: true ``` -- Set `--experimental-enable-k8s-native-validation` in Gatekeeper deployments, or `enableK8sNativeValidation=true` if using Helm. ## Get started -### Option 1: Install with Helm -Update the `enableK8sNativeValidation` parameter in values.yaml or set during deployment -- Enable the K8s Native Validating driver to allow users to create CEL-based rules in addition to the OPA driver and rego rules (alpha feature). Default is `false` -```shell -helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace \ - --set enableK8sNativeValidation=true -``` - -### Option 2: Install with Gatekeeper deployment -Edit the applicable deployments (`controller-manager` and `audit`), and update the following commandline flags: -- Set `--experimental-enable-k8s-native-validation=true` - ## Policy updates to add CEL To see how it works, check out this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/k8s-validating-admission-policy) From b62e90063c51e8803c40b8faf3445e5dc973884e Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 7 Aug 2024 20:57:32 +0000 Subject: [PATCH 2/8] updating makefile to remove enableK8sNativeValidation as it is turned on by default Signed-off-by: Jaydip Gabani --- Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Makefile b/Makefile index a7d757063c6..8e172648192 100644 --- a/Makefile +++ b/Makefile @@ -241,7 +241,6 @@ else --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ - --set enableK8sNativeValidation=true \ --set defaultCreateVAPForTemplates=${GENERATE_VAP} \ --set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \ --set mutationAnnotations=true; @@ -283,7 +282,6 @@ e2e-helm-upgrade: --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ - --set enableK8sNativeValidation=true \ --set defaultCreateVAPForTemplates=${GENERATE_VAP} \ --set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \ --set mutationAnnotations=true;\ From 9597954206572356c3adcc9ba8ac169e26863c6f Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Wed, 7 Aug 2024 21:13:10 +0000 Subject: [PATCH 3/8] adding note for moving CEL validation to beta in docs Signed-off-by: Jaydip Gabani --- website/docs/validating-admission-policy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index fa230f0abbf..b51fc8ff391 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -40,6 +40,10 @@ In summary, these are potential options when running Gatekeeper: Find out more about different [enforcement points](enforcement-points.md) +:::note +CEL validation is in beta and `--experimental-enable-k8s-native-validation` is turned on by default. +::: + ## Pre-requisites - Requires minimum Gatekeeper v3.16.0 From ed5ea6c25228fad22f49936a4cf26f64db48b551 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 8 Aug 2024 02:06:31 +0000 Subject: [PATCH 4/8] addressing doc updates Signed-off-by: Jaydip Gabani --- cmd/build/helmify/static/README.md | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 +- website/docs/validating-admission-policy.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 5b74a09d774..54ec0750d3f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 5b74a09d774..54ec0750d3f 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index b51fc8ff391..d13c38ec508 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -41,7 +41,7 @@ In summary, these are potential options when running Gatekeeper: Find out more about different [enforcement points](enforcement-points.md) :::note -CEL validation is in beta and `--experimental-enable-k8s-native-validation` is turned on by default. +CEL validation in constraint templates through Gatekeeper is in beta and `--experimental-enable-k8s-native-validation` is turned on by default. Set --experimental-enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. ::: ## Pre-requisites From 6f0cb453d5d0228f6b85e49a0d34e564409e8a2f Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 8 Aug 2024 02:10:31 +0000 Subject: [PATCH 5/8] fixing rebase Signed-off-by: Jaydip Gabani --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 8e172648192..dc8592c32ab 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ \n - --experimental-enable-k8s-native-validation\ +\n - --log-level=${LOG_LEVEL}\ \n" # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) From 7bf8f8d71f24cc2b070f054b507231433212fa27 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 8 Aug 2024 02:11:29 +0000 Subject: [PATCH 6/8] fixing rebase Signed-off-by: Jaydip Gabani --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index dc8592c32ab..681caa4f5bd 100644 --- a/Makefile +++ b/Makefile @@ -98,7 +98,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --logtostderr\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ -\n - --experimental-enable-k8s-native-validation\ \n - --log-level=${LOG_LEVEL}\ \n" From 786806634943740300faf9d7e709bf074f23ed26 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Thu, 8 Aug 2024 21:03:38 +0000 Subject: [PATCH 7/8] updating docs Signed-off-by: Jaydip Gabani --- website/docs/validating-admission-policy.md | 12 ++++++------ .../version-v3.16.x/validating-admission-policy.md | 5 +++-- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index d13c38ec508..dd5bb6d10de 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -3,9 +3,13 @@ id: validating-admission-policy title: Integration with Kubernetes Validating Admission Policy --- -`Feature State`: Gatekeeper version v3.16 (alpha) +CEL validation in Gatekeeper: +Feature State: Gatekeeper version v3.17 (beta) +❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --experimental-enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. -> ❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default. +VAP management through Gatekeeper: +Feature State: Gatekeeper version v3.16 (alpha) +❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default unless explicitly enabled via feature flag and/or via constraint template. ## Description @@ -40,10 +44,6 @@ In summary, these are potential options when running Gatekeeper: Find out more about different [enforcement points](enforcement-points.md) -:::note -CEL validation in constraint templates through Gatekeeper is in beta and `--experimental-enable-k8s-native-validation` is turned on by default. Set --experimental-enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. -::: - ## Pre-requisites - Requires minimum Gatekeeper v3.16.0 diff --git a/website/versioned_docs/version-v3.16.x/validating-admission-policy.md b/website/versioned_docs/version-v3.16.x/validating-admission-policy.md index bb40232f1d5..f6a7f9bcc4a 100644 --- a/website/versioned_docs/version-v3.16.x/validating-admission-policy.md +++ b/website/versioned_docs/version-v3.16.x/validating-admission-policy.md @@ -138,5 +138,6 @@ labels: "gatekeeper.sh/use-vap": "no" ``` -> [!TIP] -> In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup. +:::tip +In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup. +::: \ No newline at end of file From a533a7a1f518c0ddc004b84e162909a41f1636d2 Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Fri, 9 Aug 2024 18:47:13 +0000 Subject: [PATCH 8/8] renaming experimental-enable-k8s-native-validation -> enable-k8s-native-validation Signed-off-by: Jaydip Gabani --- cmd/build/helmify/kustomize-for-helm.yaml | 4 ++-- cmd/gator/test/test.go | 2 +- cmd/gator/verify/verify.go | 2 +- main.go | 2 +- .../gatekeeper/templates/gatekeeper-audit-deployment.yaml | 2 +- .../templates/gatekeeper-controller-manager-deployment.yaml | 2 +- website/docs/validating-admission-policy.md | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 93e4c7f5ae3..ff75690b22c 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -94,7 +94,7 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION @@ -187,7 +187,7 @@ spec: - HELMSUBST_DEPLOYMENT_AUDIT_LOGFILE - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" diff --git a/cmd/gator/test/test.go b/cmd/gator/test/test.go index 25ccaf0561b..209fba403b5 100644 --- a/cmd/gator/test/test.go +++ b/cmd/gator/test/test.go @@ -73,7 +73,7 @@ func init() { Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.") Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.") - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage)) } diff --git a/cmd/gator/verify/verify.go b/cmd/gator/verify/verify.go index 182770fb3ab..9639126d17d 100644 --- a/cmd/gator/verify/verify.go +++ b/cmd/gator/verify/verify.go @@ -47,7 +47,7 @@ func init() { `print extended test output`) Cmd.Flags().BoolVarP(&includeTrace, "trace", "t", false, `include a trace for the underlying constraint framework evaluation`) - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", true, + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, `Beta: enable the validating admission policy driver`) } diff --git a/main.go b/main.go index 65c545463c3..fe86af367f4 100644 --- a/main.go +++ b/main.go @@ -114,7 +114,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") + enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 71c7ff28150..3fb2404d880 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -89,7 +89,7 @@ spec: {{- end }} - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} command: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 7ed6146a09b..dae96161d10 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -78,7 +78,7 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index dd5bb6d10de..46153dd6636 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -5,7 +5,7 @@ title: Integration with Kubernetes Validating Admission Policy CEL validation in Gatekeeper: Feature State: Gatekeeper version v3.17 (beta) -❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --experimental-enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. +❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. VAP management through Gatekeeper: Feature State: Gatekeeper version v3.16 (alpha)