Skip to content

Commit

Permalink
chore: moving k8s-native-validation feature to beta (#3476)
Browse files Browse the repository at this point in the history 
Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
  • Loading branch information
@JaydipGabani @sozercan
JaydipGabani and sozercan authored Aug 9, 2024
1 parent d3f1269 commit c5ee94e
Show file tree
Hide file tree
Showing 13 changed files with 21 additions and 33 deletions.
4 changes: 0 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --mutation-annotations\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
\n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
\n - --experimental-enable-k8s-native-validation\
\n - --log-level=${LOG_LEVEL}\
\n---\
\napiVersion: apps/v1\
Expand All @@ -99,7 +98,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --logtostderr\
\n - --default-create-vap-for-templates=${GENERATE_VAP}\
\n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\
\n - --experimental-enable-k8s-native-validation\
\n - --log-level=${LOG_LEVEL}\
\n"

Expand Down Expand Up @@ -243,7 +241,6 @@ else
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set enableK8sNativeValidation=true \
--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
--set mutationAnnotations=true;
Expand Down Expand Up @@ -285,7 +282,6 @@ e2e-helm-upgrade:
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set enableK8sNativeValidation=true \
--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
--set mutationAnnotations=true;\
Expand Down
4 changes: 2 additions & 2 deletions cmd/build/helmify/kustomize-for-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ spec:
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
- HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION
Expand Down Expand Up @@ -187,7 +187,7 @@ spec:
- HELMSUBST_DEPLOYMENT_AUDIT_LOGFILE
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/static/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ information._
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` |
| defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` |
| defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
Expand Down
2 changes: 1 addition & 1 deletion cmd/build/helmify/static/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
externaldataProviderResponseCacheTTL: 3m
enableK8sNativeValidation: false
enableK8sNativeValidation: true
defaultCreateVAPForTemplates: false
defaultCreateVAPBindingForConstraints: false
image:
Expand Down
2 changes: 1 addition & 1 deletion cmd/gator/test/test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func init() {
Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML))
Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.")
Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.")
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false, "PROTOTYPE (not stable): enable the validating admission policy driver")
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver")
Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage))
}
Expand Down
4 changes: 2 additions & 2 deletions cmd/gator/verify/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@ func init() {
`print extended test output`)
Cmd.Flags().BoolVarP(&includeTrace, "trace", "t", false,
`include a trace for the underlying constraint framework evaluation`)
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false,
`PROTOTYPE (not stable): enable the validating admission policy driver`)
Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true,
`Beta: enable the validating admission policy driver`)
}

// Cmd is the gator verify subcommand.
Expand Down
2 changes: 1 addition & 1 deletion main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ var (
certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service")
enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir")
disabledBuiltins = util.NewFlagSet()
enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver")
enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver")
externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
)

Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ information._
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` |
| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` |
| defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` |
| defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ spec:
{{- end }}
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
command:
Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ spec:
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
- --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
- --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }}
- --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }}
{{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }}
Expand Down
2 changes: 1 addition & 1 deletion manifest_staging/charts/gatekeeper/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
externaldataProviderResponseCacheTTL: 3m
enableK8sNativeValidation: false
enableK8sNativeValidation: true
defaultCreateVAPForTemplates: false
defaultCreateVAPBindingForConstraints: false
image:
Expand Down
21 changes: 6 additions & 15 deletions website/docs/validating-admission-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,13 @@ id: validating-admission-policy
title: Integration with Kubernetes Validating Admission Policy
---

`Feature State`: Gatekeeper version v3.16 (alpha)
CEL validation in Gatekeeper:
Feature State: Gatekeeper version v3.17 (beta)
❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates.

> ❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default.
VAP management through Gatekeeper:
Feature State: Gatekeeper version v3.16 (alpha)
❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default unless explicitly enabled via feature flag and/or via constraint template.

## Description

Expand Down Expand Up @@ -54,22 +58,9 @@ Find out more about different [enforcement points](enforcement-points.md)
runtimeConfig:
admissionregistration.k8s.io/v1beta1: true
```
- Set `--experimental-enable-k8s-native-validation` in Gatekeeper deployments, or `enableK8sNativeValidation=true` if using Helm.
## Get started
### Option 1: Install with Helm
Update the `enableK8sNativeValidation` parameter in values.yaml or set during deployment
- Enable the K8s Native Validating driver to allow users to create CEL-based rules in addition to the OPA driver and rego rules (alpha feature). Default is `false`
```shell
helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace \
--set enableK8sNativeValidation=true
```

### Option 2: Install with Gatekeeper deployment
Edit the applicable deployments (`controller-manager` and `audit`), and update the following commandline flags:
- Set `--experimental-enable-k8s-native-validation=true`

## Policy updates to add CEL
To see how it works, check out this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/k8s-validating-admission-policy)
Expand Down
5 changes: 3 additions & 2 deletions website/versioned_docs/version-v3.16.x/validating-admission-policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,5 +138,6 @@ labels:
"gatekeeper.sh/use-vap": "no"
```

> [!TIP]
> In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup.
:::tip
In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup.
:::

0 comments on commit c5ee94e

Please # to comment.