From 2e61d31f6c42bdc96589025b4e0bd07acea3c51b Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Fri, 8 Nov 2024 00:47:38 +0000 Subject: [PATCH 1/2] moving CEL engine to GA Signed-off-by: Jaydip Gabani --- cmd/build/helmify/static/README.md | 2 +- cmd/gator/test/test.go | 2 +- main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 +- website/docs/validating-admission-policy.md | 7 +++++-- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 92a7fa72897..5a7e03cdc9e 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -168,7 +168,7 @@ information._ | emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` | | logStatsAdmission | (alpha) Log stats for admission webhook | `false` | | logStatsAudit | (alpha) Log stats metrics for the audit run | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` | | defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` | | defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` | | defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` | diff --git a/cmd/gator/test/test.go b/cmd/gator/test/test.go index 209fba403b5..4c11e7d9198 100644 --- a/cmd/gator/test/test.go +++ b/cmd/gator/test/test.go @@ -73,7 +73,7 @@ func init() { Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.") Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.") - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "enable the validating admission policy driver") Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage)) } diff --git a/main.go b/main.go index e7f035ef736..add56d97c49 100644 --- a/main.go +++ b/main.go @@ -114,7 +114,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") + enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 92a7fa72897..5a7e03cdc9e 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -168,7 +168,7 @@ information._ | emitAuditEvents | (alpha) Emit K8s events in configurable namespace for audit violations | `false` | | logStatsAdmission | (alpha) Log stats for admission webhook | `false` | | logStatsAudit | (alpha) Log stats metrics for the audit run | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL | `true` | | defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` | | defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` | | defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` | diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index 990ea9fd351..4bf727a3e92 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -4,8 +4,11 @@ title: Integration with Kubernetes Validating Admission Policy --- Validating Admission Policy CEL validation in Gatekeeper: -Feature State: Gatekeeper version v3.17 (beta) -❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --enable-k8s-native-validation=false` to disable evaluating Validating Admission Policy CEL in constraint templates. +Feature State: Gatekeeper version v3.18 (stable) + +::: note +Set --enable-k8s-native-validation=false` to disable evaluating Validating Admission Policy CEL in constraint templates. +::: VAP management through Gatekeeper: Feature State: Gatekeeper version v3.16 (alpha) From 2d1c51f84401259c5321bcfb531f34f936ad21fb Mon Sep 17 00:00:00 2001 From: Jaydip Gabani Date: Fri, 8 Nov 2024 00:51:54 +0000 Subject: [PATCH 2/2] updating docs Signed-off-by: Jaydip Gabani --- website/docs/validating-admission-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index 4bf727a3e92..a6e3f53717c 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -6,7 +6,7 @@ title: Integration with Kubernetes Validating Admission Policy Validating Admission Policy CEL validation in Gatekeeper: Feature State: Gatekeeper version v3.18 (stable) -::: note +:::note Set --enable-k8s-native-validation=false` to disable evaluating Validating Admission Policy CEL in constraint templates. :::