Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update default for vap generation #3501

Closed
ritazh opened this issue Feb 19, 2024 · 4 comments · Fixed by #3702
Closed

Update default for vap generation #3501

ritazh opened this issue Feb 19, 2024 · 4 comments · Fixed by #3702
Assignees
@JaydipGabani
Milestone
v3.19.0

Comments

@ritazh
Copy link
Member

ritazh commented Feb 19, 2024

TODO(ritazh): default for now until the feature is safe to fail close
TODO(ritazh): default for now until we can safely expose these to users
@ritazh ritazh mentioned this issue Feb 19, 2024
Merged
@ritazh
Copy link
Member Author

ritazh commented Aug 16, 2024
edited
Loading

fail closed is blocked by kubernetes/kubernetes#124237

@ritazh ritazh transferred this issue from open-policy-agent/frameworks Aug 16, 2024
@ritazh ritazh added this to the v3.18.0 milestone Aug 16, 2024
@ritazh ritazh self-assigned this Sep 10, 2024
@ritazh ritazh assigned JaydipGabani and unassigned ritazh Oct 3, 2024
@ritazh
Copy link
Member Author

ritazh commented Oct 3, 2024

Notes from today's community call:

  • pre-req: need to ensure all resource generation happens in a singleton controller (due to clock skew); add a new operation to ensure only a singleton controller runs for resource generation
  • add a delay (user configurable), default is tbd. maximum is 30 secs. Note: delay is only needed for the first VAPB
  • deployment strategy for this singleton controller might impact the delay calculation to generate the VAPB resource
  • singleton should add timestamp for “createAfter” OR a simple flag to allow creation of VAPB on the CT status; then reschedule the reconcile for the VAPB generation

@JaydipGabani JaydipGabani mentioned this issue Oct 5, 2024
Merged
@JaydipGabani JaydipGabani modified the milestones: v3.18.0, v3.19.0 Oct 23, 2024
@ritazh ritazh modified the milestones: v3.19.0, v3.18.0 Oct 23, 2024
@JaydipGabani JaydipGabani modified the milestones: v3.18.0, v3.19.0 Oct 23, 2024
@ritazh ritazh changed the title Update default for vap once the feature is GAed in k/k Update default for vap generation Oct 23, 2024
@ritazh ritazh mentioned this issue Oct 23, 2024
Closed
@JaydipGabani JaydipGabani modified the milestones: v3.18.0, v3.19.0 Oct 23, 2024
@JaydipGabani
Copy link
Contributor

JaydipGabani commented Oct 24, 2024
edited
Loading

TODO:

@JaydipGabani
Copy link
Contributor

This is the existing behavior where CEL fails -

enforcement point FailurePolicy EnforcementAction result
CEL Fail deny Violation
VAP Fail deny Violation
CEL Fail warn Warning
VAP Fail warn Warning
CEL Ignore deny Admission without violation/warning
VAP Ignore deny Admission without violation/warning
CEL Ignore warn Admission without violation/warning
VAP Ignore warn Admission without violation/warning

@JaydipGabani JaydipGabani mentioned this issue Nov 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JaydipGabani JaydipGabani

Labels
None yet
Projects
None yet
Milestone
v3.19.0
Development

Successfully merging a pull request may close this issue.

chore: updating VAP default failure policy to fail JaydipGabani/gatekeeper
2 participants
@ritazh @JaydipGabani