-
Notifications
You must be signed in to change notification settings - Fork 743
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: add vap generation doc and demo (#3363)
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
- Loading branch information
Showing
10 changed files
with
166 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,4 +3,4 @@ kind: Namespace | |
metadata: | ||
name: good-ns | ||
labels: | ||
"gatekeeper": "true" | ||
"gatekeeper": "true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,4 +3,4 @@ kind: Namespace | |
metadata: | ||
name: no-dupes | ||
labels: | ||
"gatekeeper": "not_duplicated" | ||
"gatekeeper": "not_duplicated" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,11 @@ | ||
> [!WARNING] | ||
> This is a demo of a prototype-stage feature and is subject to change. | ||
> This is a demo of an alpha feature and is subject to change. | ||
This demo shows two new capabilities: | ||
1. Together with Gatekeeper and gator CLI, you can get admission, audit, and shift left validations for both CEL-based Validating Admission Policy and OPA Rego policies, even for clusters that do not support Kubernetes Validating Admission Policy feature yet. | ||
1. Gatekeeper can be enabled to generate Kubernetes Validating Admission Policy resources such that admission validation can be handled by [Kubernetes's in-process Validating Admission Policy Controller](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) instead of the Gatekeeper admission webhook. In the event the Validating Admission Policy Controller fails open, then Gatekeeper admission webhook can act as a fallback. This requires clusters with the Kubernetes Validating Admission Policy feature enabled. | ||
|
||
## Pre-requisites | ||
|
||
- Requires minimum Gatekeeper v3.14.0 | ||
- Set `--experimental-enable-k8s-native-validation` in Gatekeeper deployments. | ||
- Set `--validate-template-rego=false` in Gatekeeper deployments if using Gatekeeper version 3.14.0 and later. This flag will be removed in v3.16.0, and will not be applicable in the future. | ||
Please refer to https://open-policy-agent.github.io/gatekeeper/website/docs/next/validating-admission-policy for pre-requisites and configuration steps. | ||
|
||
## Demo | ||
|
||
<img width= "900" height="500" src="demo.gif" alt="cel demo"> | ||
<img width= "900" height="500" src="demo.gif" alt="vap demo"> |
This file was deleted.
Oops, something went wrong.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#!/bin/bash | ||
|
||
. ../../third_party/demo-magic/demo-magic.sh | ||
|
||
clear | ||
|
||
p "To ensure the ValidatingAdmissionPolicy feature is enabled for the cluster" | ||
|
||
pe "kubectl api-resources | grep ValidatingAdmissionPolicy" | ||
|
||
p "Deploy the constraint template" | ||
|
||
pe "kubectl apply -f k8srequiredlabels_template.yaml" | ||
|
||
p "View Constraint template to see a new engine and CEL rules are added" | ||
|
||
pe "cat k8srequiredlabels_template.yaml" | ||
|
||
pe "kubectl apply -f owner_must_be_provided.yaml" | ||
|
||
pe "cat owner_must_be_provided.yaml" | ||
|
||
p "Let's test the policy" | ||
|
||
pe "kubectl create ns test" | ||
|
||
p "Note the bad namespace was blocked by the Gatekeeper webhook as evaluated by the new CEL rules" | ||
|
||
p "Now let's update the constraint template to generate the ValidatingAdmissionPolicy resources" | ||
|
||
pe "kubectl apply -f k8srequiredlabels_template_usevap.yaml" | ||
|
||
pe "cat k8srequiredlabels_template_usevap.yaml" | ||
|
||
p "Notice the "gatekeeper.sh/use-vap": "yes" label was added to the template to generate ValidatingAdmissionPolicy resources. Let's see what the generated resources look like" | ||
|
||
pe "kubectl get ValidatingAdmissionPolicy" | ||
|
||
pe "kubectl get ValidatingAdmissionPolicyBinding" | ||
|
||
p "Let's test the policy" | ||
|
||
pe "kubectl create ns test" | ||
|
||
p "Note the bad namespace was blocked by the ValidatingAdmissionPolicy admission controller" | ||
|
||
p "THE END" | ||
|
||
kubectl delete constrainttemplates --all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
demo/k8s-validating-admission-policy/k8srequiredlabels_template_usevap.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
apiVersion: templates.gatekeeper.sh/v1 | ||
kind: ConstraintTemplate | ||
metadata: | ||
name: k8srequiredlabels | ||
labels: | ||
"gatekeeper.sh/use-vap": "yes" | ||
spec: | ||
crd: | ||
spec: | ||
names: | ||
kind: K8sRequiredLabels | ||
validation: | ||
# Schema for the `parameters` field | ||
openAPIV3Schema: | ||
type: object | ||
properties: | ||
message: | ||
type: string | ||
labels: | ||
type: array | ||
items: | ||
type: object | ||
properties: | ||
key: | ||
type: string | ||
allowedRegex: | ||
type: string | ||
targets: | ||
- target: admission.k8s.gatekeeper.sh | ||
code: | ||
- engine: K8sNativeValidation | ||
source: | ||
validations: | ||
- expression: '[object, oldObject].exists(obj, obj != null && has(obj.metadata) && variables.params.labels.all(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels))' | ||
messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")' | ||
- expression: '[object, oldObject].exists(obj, obj != null && !variables.params.labels.exists(entry, has(obj.metadata.labels) && entry.key in obj.metadata.labels && !string(obj.metadata.labels[entry.key]).matches(string(entry.allowedRegex))))' | ||
message: "regex mismatch" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters