Skip to content

Commit

Permalink
feat: add generate operation and wait for VAPB generation (#3573)
Browse files Browse the repository at this point in the history 
Signed-off-by: Jaydip Gabani <[email protected]>
  • Loading branch information
@JaydipGabani
JaydipGabani authored Nov 7, 2024
1 parent e99d68d commit 1834741
Show file tree
Hide file tree
Showing 13 changed files with 439 additions and 254 deletions.
3 changes: 1 addition & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --disable-opa-builtin=http.send\
\n - --log-mutations\
\n - --mutation-annotations\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
\n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
\n - --log-level=${LOG_LEVEL}\
\n---\
\napiVersion: apps/v1\
Expand All @@ -94,6 +92,7 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --operation=audit\
\n - --operation=status\
\n - --operation=mutation-status\
\n - --operation=generate\
\n - --audit-chunk-size=500\
\n - --logtostderr\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
Expand Down
2 changes: 2 additions & 0 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,7 @@ spec:
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
- --operation=generate
- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS
- HELMSUBST_MUTATION_STATUS_ENABLED_ARG
- --logtostderr
Expand All @@ -192,6 +193,7 @@ spec:
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- HELMSUBST_DEPLOYMENT_DEFAULT_CREATE_VAP_FOR_TEMPLATES
- HELMSUBST_DEPLOYMENT_DEFAULT_CREATE_VAPB_FOR_CONSTRAINTS
- HELMSUBST_DEPLOYMENT_AUDIT_DEFAULT_WAIT_VAPB_GENERATION
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
HELMSUBST_AUDIT_CONTROLLER_MANAGER_DEPLOYMENT_IMAGE_RELEASE: ""
ports:
Expand Down
4 changes: 4 additions & 0 deletions cmd/build/helmify/replacements.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,10 @@ var replacements = map[string]string{

"- HELMSUBST_MUTATION_STATUS_ENABLED_ARG": `{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}`,

"- HELMSUBST_DEPLOYMENT_AUDIT_DEFAULT_WAIT_VAPB_GENERATION": `{{ if hasKey .Values "defaultWaitForVAPBGeneration"}}
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
{{- end }}`,

"- HELMSUBST_DEPLOYMENT_AUDIT_PUBSUB_ARGS": `{{ if hasKey .Values.audit "enablePubsub" }}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
{{- end }}
Expand Down
1 change: 1 addition & 0 deletions cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ information._
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` |
| defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` |
| defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` |
| defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@ information._
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` |
| defaultCreateVAPForTemplates | (alpha) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. | `false` |
| defaultCreateVAPBindingForConstraints | (alpha) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. | `false` |
| defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
Expand Down
4 changes: 4 additions & 0 deletions manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ spec:
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
- --operation=generate
{{ if hasKey .Values.audit "enablePubsub" }}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
{{- end }}
Expand Down Expand Up @@ -103,6 +104,9 @@ spec:
{{- if hasKey .Values "defaultCreateVAPBindingForConstraints"}}
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
{{- end }}
{{ if hasKey .Values "defaultWaitForVAPBGeneration"}}
- --default-wait-for-vapb-generation={{ .Values.defaultWaitForVAPBGeneration }}
{{- end }}
command:
- /manager
env:
Expand Down
Loading

0 comments on commit 1834741

Please sign in to comment.