From c5ee94e0bd8908fd1884105628f49be3047930a2 Mon Sep 17 00:00:00 2001 From: Jaydipkumar Arvindbhai Gabani Date: Fri, 9 Aug 2024 14:53:50 -0700 Subject: [PATCH] chore: moving k8s-native-validation feature to beta (#3476) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jaydip Gabani Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- Makefile | 4 ---- cmd/build/helmify/kustomize-for-helm.yaml | 4 ++-- cmd/build/helmify/static/README.md | 2 +- cmd/build/helmify/static/values.yaml | 2 +- cmd/gator/test/test.go | 2 +- cmd/gator/verify/verify.go | 4 ++-- main.go | 2 +- manifest_staging/charts/gatekeeper/README.md | 2 +- .../gatekeeper-audit-deployment.yaml | 2 +- ...ekeeper-controller-manager-deployment.yaml | 2 +- .../charts/gatekeeper/values.yaml | 2 +- website/docs/validating-admission-policy.md | 21 ++++++------------- .../validating-admission-policy.md | 5 +++-- 13 files changed, 21 insertions(+), 33 deletions(-) diff --git a/Makefile b/Makefile index 233c501181b..681caa4f5bd 100644 --- a/Makefile +++ b/Makefile @@ -75,7 +75,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --mutation-annotations\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ -\n - --experimental-enable-k8s-native-validation\ \n - --log-level=${LOG_LEVEL}\ \n---\ \napiVersion: apps/v1\ @@ -99,7 +98,6 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ \n - --logtostderr\ \n - --default-create-vap-for-templates=${GENERATE_VAP}\ \n - --default-create-vap-binding-for-constraints=${GENERATE_VAPBINDING}\ -\n - --experimental-enable-k8s-native-validation\ \n - --log-level=${LOG_LEVEL}\ \n" @@ -243,7 +241,6 @@ else --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ - --set enableK8sNativeValidation=true \ --set defaultCreateVAPForTemplates=${GENERATE_VAP} \ --set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \ --set mutationAnnotations=true; @@ -285,7 +282,6 @@ e2e-helm-upgrade: --set disabledBuiltins={http.send} \ --set logMutations=true \ --set logLevel=${LOG_LEVEL} \ - --set enableK8sNativeValidation=true \ --set defaultCreateVAPForTemplates=${GENERATE_VAP} \ --set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \ --set mutationAnnotations=true;\ diff --git a/cmd/build/helmify/kustomize-for-helm.yaml b/cmd/build/helmify/kustomize-for-helm.yaml index 93e4c7f5ae3..ff75690b22c 100644 --- a/cmd/build/helmify/kustomize-for-helm.yaml +++ b/cmd/build/helmify/kustomize-for-helm.yaml @@ -94,7 +94,7 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION @@ -187,7 +187,7 @@ spec: - HELMSUBST_DEPLOYMENT_AUDIT_LOGFILE - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} imagePullPolicy: "{{ .Values.image.pullPolicy }}" diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index cc466a1b060..54ec0750d3f 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index 76862de9a3b..d26f6f2fe7d 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m -enableK8sNativeValidation: false +enableK8sNativeValidation: true defaultCreateVAPForTemplates: false defaultCreateVAPBindingForConstraints: false image: diff --git a/cmd/gator/test/test.go b/cmd/gator/test/test.go index 58f911776e9..209fba403b5 100644 --- a/cmd/gator/test/test.go +++ b/cmd/gator/test/test.go @@ -73,7 +73,7 @@ func init() { Cmd.Flags().StringVarP(&flagOutput, flagNameOutput, "o", "", fmt.Sprintf("Output format. One of: %s|%s.", stringJSON, stringYAML)) Cmd.Flags().BoolVarP(&flagIncludeTrace, "trace", "t", false, "include a trace for the underlying Constraint Framework evaluation.") Cmd.Flags().BoolVarP(&flagGatherStats, "stats", "", false, "include performance stats returned from the Constraint Framework.") - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false, "PROTOTYPE (not stable): enable the validating admission policy driver") + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, "Beta: enable the validating admission policy driver") Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.") Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage)) } diff --git a/cmd/gator/verify/verify.go b/cmd/gator/verify/verify.go index 74c4b243911..9639126d17d 100644 --- a/cmd/gator/verify/verify.go +++ b/cmd/gator/verify/verify.go @@ -47,8 +47,8 @@ func init() { `print extended test output`) Cmd.Flags().BoolVarP(&includeTrace, "trace", "t", false, `include a trace for the underlying constraint framework evaluation`) - Cmd.Flags().BoolVarP(&flagEnableK8sCel, "experimental-enable-k8s-native-validation", "", false, - `PROTOTYPE (not stable): enable the validating admission policy driver`) + Cmd.Flags().BoolVarP(&flagEnableK8sCel, "enable-k8s-native-validation", "", true, + `Beta: enable the validating admission policy driver`) } // Cmd is the gator verify subcommand. diff --git a/main.go b/main.go index 6cedb8155a1..fe86af367f4 100644 --- a/main.go +++ b/main.go @@ -114,7 +114,7 @@ var ( certServiceName = flag.String("cert-service-name", "gatekeeper-webhook-service", "The service name used to generate the TLS cert's hostname. Defaults to gatekeeper-webhook-service") enableTLSHealthcheck = flag.Bool("enable-tls-healthcheck", false, "enable probing webhook API with certificate stored in certDir") disabledBuiltins = util.NewFlagSet() - enableK8sCel = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver") + enableK8sCel = flag.Bool("enable-k8s-native-validation", true, "Beta: enable the validating admission policy driver") externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.") ) diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index cc466a1b060..54ec0750d3f 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -166,7 +166,7 @@ information._ | mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | | emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | | emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (alpha feature) | `false` | +| enableK8sNativeValidation | Enable the K8s Native Validating driver to allow constraint templates to use rules written in VAP-style CEL (beta feature) | `true` | | defaultCreateVAPForTemplates | Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. (alpha feature) | `false` | | defaultCreateVAPBindingForConstraints | Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding. (alpha feature) | `false` | | auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml index 71c7ff28150..3fb2404d880 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-deployment.yaml @@ -89,7 +89,7 @@ spec: {{- end }} - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} command: diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml index 7ed6146a09b..dae96161d10 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-deployment.yaml @@ -78,7 +78,7 @@ spec: - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }} - - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} + - --enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }} - --default-create-vap-for-templates={{ .Values.defaultCreateVAPForTemplates }} - --default-create-vap-binding-for-constraints={{ .Values.defaultCreateVAPBindingForConstraints }} {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index 76862de9a3b..d26f6f2fe7d 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -45,7 +45,7 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true externaldataProviderResponseCacheTTL: 3m -enableK8sNativeValidation: false +enableK8sNativeValidation: true defaultCreateVAPForTemplates: false defaultCreateVAPBindingForConstraints: false image: diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md index 81d1a26b5b3..46153dd6636 100644 --- a/website/docs/validating-admission-policy.md +++ b/website/docs/validating-admission-policy.md @@ -3,9 +3,13 @@ id: validating-admission-policy title: Integration with Kubernetes Validating Admission Policy --- -`Feature State`: Gatekeeper version v3.16 (alpha) +CEL validation in Gatekeeper: +Feature State: Gatekeeper version v3.17 (beta) +❗ This feature is beta, subject to change (feedback is welcome!). It is enabled by default. Set --enable-k8s-native-validation=false` to disable evaluating CEL in constraint templates. -> ❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default. +VAP management through Gatekeeper: +Feature State: Gatekeeper version v3.16 (alpha) +❗ This feature is alpha, subject to change (feedback is welcome!). It is disabled by default unless explicitly enabled via feature flag and/or via constraint template. ## Description @@ -54,22 +58,9 @@ Find out more about different [enforcement points](enforcement-points.md) runtimeConfig: admissionregistration.k8s.io/v1beta1: true ``` -- Set `--experimental-enable-k8s-native-validation` in Gatekeeper deployments, or `enableK8sNativeValidation=true` if using Helm. ## Get started -### Option 1: Install with Helm -Update the `enableK8sNativeValidation` parameter in values.yaml or set during deployment -- Enable the K8s Native Validating driver to allow users to create CEL-based rules in addition to the OPA driver and rego rules (alpha feature). Default is `false` -```shell -helm install gatekeeper/gatekeeper --name-template=gatekeeper --namespace gatekeeper-system --create-namespace \ - --set enableK8sNativeValidation=true -``` - -### Option 2: Install with Gatekeeper deployment -Edit the applicable deployments (`controller-manager` and `audit`), and update the following commandline flags: -- Set `--experimental-enable-k8s-native-validation=true` - ## Policy updates to add CEL To see how it works, check out this [demo](https://github.com/open-policy-agent/gatekeeper/tree/master/demo/k8s-validating-admission-policy) diff --git a/website/versioned_docs/version-v3.16.x/validating-admission-policy.md b/website/versioned_docs/version-v3.16.x/validating-admission-policy.md index bb40232f1d5..f6a7f9bcc4a 100644 --- a/website/versioned_docs/version-v3.16.x/validating-admission-policy.md +++ b/website/versioned_docs/version-v3.16.x/validating-admission-policy.md @@ -138,5 +138,6 @@ labels: "gatekeeper.sh/use-vap": "no" ``` -> [!TIP] -> In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup. +:::tip +In the event K8s Validating Admission Controller fails open, then Gatekeeper admission webhook can act as a backup. +::: \ No newline at end of file