From cffbc84007f5aaabb6a8445c0931b1ef16868c72 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Fri, 26 Apr 2019 18:03:59 -0700 Subject: [PATCH 01/11] example manager image patch Signed-off-by: Craig Tabita --- .gitignore | 3 +++ Makefile | 1 + ...nager_image_patch.yaml => manager_image_patch.example.yaml} | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) rename config/{manager_image_patch.yaml => manager_image_patch.example.yaml} (77%) diff --git a/.gitignore b/.gitignore index aa146573238..b30fa4fd18e 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,9 @@ bin # Output of the go coverage tool, specifically when used with LiteIDE *.out +# Manager image patch file +/config/manager_image_patch.yaml + # Kubernetes Generated files - skip generated files, except for vendored files !vendor/**/zz_generated.* diff --git a/Makefile b/Makefile index 7c4234e4efa..9e3fcd13948 100644 --- a/Makefile +++ b/Makefile @@ -96,6 +96,7 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" + cp ./config/manager_image_patch.example.yaml ./config/manager_image_patch.yaml sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml docker-build-ci: diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.example.yaml similarity index 77% rename from config/manager_image_patch.yaml rename to config/manager_image_patch.example.yaml index d6e35a793e3..fcbf39dc6a5 100644 --- a/config/manager_image_patch.yaml +++ b/config/manager_image_patch.example.yaml @@ -8,5 +8,5 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: gcr.io/smythe-kpc/open-policy-agent/gatekeeper:latest + - image: IMAGE_URL name: manager From a8c0c6ae2c2b451b676c09301d96136e021e180a Mon Sep 17 00:00:00 2001 From: maxsmythe Date: Fri, 26 Apr 2019 18:09:38 -0700 Subject: [PATCH 02/11] Update readme (#99) * Update gitignore to not ignore logs packages Signed-off-by: Max Smythe * Explicitly include vendor directory Signed-off-by: Max Smythe * No need to run dep ensure Signed-off-by: Max Smythe * No need to install dep Signed-off-by: Max Smythe * Fix error in explicit inclusion of all vendor subpackages Signed-off-by: Max Smythe * Remove vistigial config/default/manager_image_patch.yaml Signed-off-by: Max Smythe * Add requirement that user have cluster-admin rolebinding to install instructions Signed-off-by: Max Smythe Signed-off-by: Craig Tabita --- README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/README.md b/README.md index 6c2bab7ccd0..34d9e7898c5 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,18 @@ WARNING: It is not recommended to install Gatekeeper on a production cluster. Th ### Installation +#### Prerequisites + +For either installation method, make sure you have cluster admin permissions: + +```sh + kubectl create clusterrolebinding cluster-admin-binding \ + --clusterrole cluster-admin \ + --user +``` + #### Deploying HEAD Using make + Currently the most reliable way of installing Gatekeeper is to build and install from HEAD: * Make sure [Kubebuilder is installed](https://book.kubebuilder.io/getting_started/installation_and_setup.html) @@ -50,6 +61,7 @@ Currently the most reliable way of installing Gatekeeper is to build and install * run `make deploy` #### Deploying a Release using Prebuilt Image + If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: ```sh @@ -72,12 +84,14 @@ When Gatekeeper is running it is possible to remove unwanted constraints by: #### Uninstall Gatekeeper ##### Using make + If you used `make` to deploy, then run the following to uninstall Gatekeeper: * cd to the repository directory * run `make uninstall` ##### Using Prebuilt Image + If you used a prebuilt image to deploy Gatekeeper, then you can delete all the Gatekeeper components with the following command: ```sh @@ -85,6 +99,7 @@ If you used a prebuilt image to deploy Gatekeeper, then you can delete all the G ``` ##### Manually Removing Constraints + If Gatekeeper is no longer running and there are extra constraints in the cluster, then the finalizers, CRDs and other artifacts must be removed manually: * Delete all instances of the constraint resource From aef7f2295965e134e7fddc48735bc06a3c24116e Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Sun, 28 Apr 2019 23:48:32 -0700 Subject: [PATCH 03/11] Update readme Signed-off-by: Anish Ramasekar Signed-off-by: Craig Tabita --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 34d9e7898c5..54c857ab960 100644 --- a/README.md +++ b/README.md @@ -29,7 +29,7 @@ Kubernetes allows decoupling policy decisions from the inner workings of the API In addition to the `admission` scenario, Gatekeeper's audit functionality allows administrators to see what resources are currently violating any given policy. -Finally, Gatekeeper's engine is designed to be portable, allowing administrators to detect and reject non-compliant commits to an infrastructure-as-code system's source-of-truth, further strenthening compliance efforts and preventing bad state from slowing down the organization. +Finally, Gatekeeper's engine is designed to be portable, allowing administrators to detect and reject non-compliant commits to an infrastructure-as-code system's source-of-truth, further strengthening compliance efforts and preventing bad state from slowing down the organization. ## Installation Instructions @@ -51,7 +51,7 @@ For either installation method, make sure you have cluster admin permissions: Currently the most reliable way of installing Gatekeeper is to build and install from HEAD: - * Make sure [Kubebuilder is installed](https://book.kubebuilder.io/getting_started/installation_and_setup.html) + * Make sure [Kubebuilder](https://book.kubebuilder.io/getting_started/installation_and_setup.html) and [Kustomize](https://github.com/kubernetes-sigs/kustomize/blob/master/docs/INSTALL.md) are installed. * Clone the Gatekeeper repo to your local system * Make sure you have a container registry you can write to that is readable by the target cluster * cd to the repository directory From 84e82b4677875f203cceb789c07840b773c72db4 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Mon, 29 Apr 2019 13:15:36 -0700 Subject: [PATCH 04/11] manager image patch Signed-off-by: Craig Tabita --- .gitignore | 2 +- Makefile | 4 ++-- README.md | 10 ++++++++-- config/kustomization.yaml | 2 +- config/{ => manager}/manager_image_patch.example.yaml | 2 +- 5 files changed, 13 insertions(+), 7 deletions(-) rename config/{ => manager}/manager_image_patch.example.yaml (89%) diff --git a/.gitignore b/.gitignore index b30fa4fd18e..8f51a456fa2 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,7 @@ bin *.out # Manager image patch file -/config/manager_image_patch.yaml +/config/manager/manager_image_patch.yaml # Kubernetes Generated files - skip generated files, except for vendored files diff --git a/Makefile b/Makefile index 9e3fcd13948..a1d22319f88 100644 --- a/Makefile +++ b/Makefile @@ -96,8 +96,8 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" - cp ./config/manager_image_patch.example.yaml ./config/manager_image_patch.yaml - sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml + cp ./config/manager/manager_image_patch.example.yaml ./config/manager/manager_image_patch.yaml + sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager/manager_image_patch.yaml docker-build-ci: docker build . -t $(IMG) -f Dockerfile_ci diff --git a/README.md b/README.md index 54c857ab960..dd6c218a664 100644 --- a/README.md +++ b/README.md @@ -62,8 +62,14 @@ Currently the most reliable way of installing Gatekeeper is to build and install #### Deploying a Release using Prebuilt Image -If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: - + If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command, substituting the url to your prebuilt image: + + ``` + IMG= + cp ./config/manager/manager_image_patch.example.yaml ./config/manager/manager_image_patch.yaml + sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager/manager_image_patch.yaml + ``` + ```sh kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper-constraint.yaml ``` diff --git a/config/kustomization.yaml b/config/kustomization.yaml index 892a1032c41..82373a32034 100644 --- a/config/kustomization.yaml +++ b/config/kustomization.yaml @@ -23,7 +23,7 @@ resources: - manager/manager.yaml patches: -- manager_image_patch.yaml +- manager/manager_image_patch.yaml vars: - name: WEBHOOK_SECRET_NAME diff --git a/config/manager_image_patch.example.yaml b/config/manager/manager_image_patch.example.yaml similarity index 89% rename from config/manager_image_patch.example.yaml rename to config/manager/manager_image_patch.example.yaml index fcbf39dc6a5..084e4c62db8 100644 --- a/config/manager_image_patch.example.yaml +++ b/config/manager/manager_image_patch.example.yaml @@ -8,5 +8,5 @@ spec: spec: containers: # Change the value of image field below to your controller image URL - - image: IMAGE_URL + - image: name: manager From 6eea0242125baadd90e1487d5c870171cefc168e Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Mon, 29 Apr 2019 15:39:26 -0700 Subject: [PATCH 05/11] manager image patch Signed-off-by: Craig Tabita --- Makefile | 3 +-- README.md | 12 ++++++------ ...xample.yaml => manager_image_patch_template.yaml} | 1 + 3 files changed, 8 insertions(+), 8 deletions(-) rename config/manager/{manager_image_patch.example.yaml => manager_image_patch_template.yaml} (76%) diff --git a/Makefile b/Makefile index a1d22319f88..7a5581473c1 100644 --- a/Makefile +++ b/Makefile @@ -96,8 +96,7 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" - cp ./config/manager/manager_image_patch.example.yaml ./config/manager/manager_image_patch.yaml - sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager/manager_image_patch.yaml + echo "#" > ./config/manager/manager_image_patch.yaml docker-build-ci: docker build . -t $(IMG) -f Dockerfile_ci diff --git a/README.md b/README.md index dd6c218a664..318b2af40ac 100644 --- a/README.md +++ b/README.md @@ -62,14 +62,14 @@ Currently the most reliable way of installing Gatekeeper is to build and install #### Deploying a Release using Prebuilt Image - If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command, substituting the url to your prebuilt image: - - ``` - IMG= - cp ./config/manager/manager_image_patch.example.yaml ./config/manager/manager_image_patch.yaml - sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager/manager_image_patch.yaml +If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then first copy the following kustomize configuration patch: + + ```sh + cp config/manager/manager_image_patch.example.yaml config/manager/manager_image_patch.yaml ``` +Then modify the new manager_image_patch.yaml file to point to your prebuilt image. Finally, run the following: + ```sh kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper-constraint.yaml ``` diff --git a/config/manager/manager_image_patch.example.yaml b/config/manager/manager_image_patch_template.yaml similarity index 76% rename from config/manager/manager_image_patch.example.yaml rename to config/manager/manager_image_patch_template.yaml index 084e4c62db8..ea9d95beb9f 100644 --- a/config/manager/manager_image_patch.example.yaml +++ b/config/manager/manager_image_patch_template.yaml @@ -1,3 +1,4 @@ +# You can copy this file to manager_image_patch.yaml to specify a prebuilt image apiVersion: apps/v1 kind: StatefulSet metadata: From 376fc0fd78adbd20c17e8a51d3178b3c230a1b08 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Mon, 29 Apr 2019 16:23:04 -0700 Subject: [PATCH 06/11] move patch file back to original location Signed-off-by: Craig Tabita --- .gitignore | 2 +- Makefile | 2 +- README.md | 2 +- config/kustomization.yaml | 2 +- config/manager_image_patch.yaml | 1 + config/{manager => }/manager_image_patch_template.yaml | 0 6 files changed, 5 insertions(+), 4 deletions(-) create mode 100644 config/manager_image_patch.yaml rename config/{manager => }/manager_image_patch_template.yaml (100%) diff --git a/.gitignore b/.gitignore index 8f51a456fa2..b30fa4fd18e 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,7 @@ bin *.out # Manager image patch file -/config/manager/manager_image_patch.yaml +/config/manager_image_patch.yaml # Kubernetes Generated files - skip generated files, except for vendored files diff --git a/Makefile b/Makefile index 7a5581473c1..6521c1f86f8 100644 --- a/Makefile +++ b/Makefile @@ -96,7 +96,7 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" - echo "#" > ./config/manager/manager_image_patch.yaml + echo "#" > ./config/manager_image_patch.yaml docker-build-ci: docker build . -t $(IMG) -f Dockerfile_ci diff --git a/README.md b/README.md index 318b2af40ac..5aabaf93bbb 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ Currently the most reliable way of installing Gatekeeper is to build and install If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then first copy the following kustomize configuration patch: ```sh - cp config/manager/manager_image_patch.example.yaml config/manager/manager_image_patch.yaml + cp config/manager_image_patch_template.yaml config/manager_image_patch.yaml ``` Then modify the new manager_image_patch.yaml file to point to your prebuilt image. Finally, run the following: diff --git a/config/kustomization.yaml b/config/kustomization.yaml index 82373a32034..892a1032c41 100644 --- a/config/kustomization.yaml +++ b/config/kustomization.yaml @@ -23,7 +23,7 @@ resources: - manager/manager.yaml patches: -- manager/manager_image_patch.yaml +- manager_image_patch.yaml vars: - name: WEBHOOK_SECRET_NAME diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.yaml new file mode 100644 index 00000000000..792d6005489 --- /dev/null +++ b/config/manager_image_patch.yaml @@ -0,0 +1 @@ +# diff --git a/config/manager/manager_image_patch_template.yaml b/config/manager_image_patch_template.yaml similarity index 100% rename from config/manager/manager_image_patch_template.yaml rename to config/manager_image_patch_template.yaml From 7c719fbc3d926bae654a02eacea18085f95f0bd7 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Mon, 29 Apr 2019 16:26:41 -0700 Subject: [PATCH 07/11] rm empty image patch file Signed-off-by: Craig Tabita --- config/manager_image_patch.yaml | 1 - 1 file changed, 1 deletion(-) delete mode 100644 config/manager_image_patch.yaml diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.yaml deleted file mode 100644 index 792d6005489..00000000000 --- a/config/manager_image_patch.yaml +++ /dev/null @@ -1 +0,0 @@ -# From 3d2565dabfc745efe2fc0f9b5253131e6e628b34 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Tue, 30 Apr 2019 10:49:58 -0700 Subject: [PATCH 08/11] check in image patch file, go back to sed in makefile Signed-off-by: Craig Tabita --- Makefile | 2 +- config/manager_image_patch.yaml | 12 ++++++++++++ config/manager_image_patch_template.yaml | 13 ------------- 3 files changed, 13 insertions(+), 14 deletions(-) create mode 100644 config/manager_image_patch.yaml delete mode 100644 config/manager_image_patch_template.yaml diff --git a/Makefile b/Makefile index 6521c1f86f8..7c4234e4efa 100644 --- a/Makefile +++ b/Makefile @@ -96,7 +96,7 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" - echo "#" > ./config/manager_image_patch.yaml + sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml docker-build-ci: docker build . -t $(IMG) -f Dockerfile_ci diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.yaml new file mode 100644 index 00000000000..dc548131e1e --- /dev/null +++ b/config/manager_image_patch.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + # Change the value of image field below to your controller image URL + - image: gcr.io/ctab-gatekeeper/open-policy-agent/gatekeeper:latest + name: manager \ No newline at end of file diff --git a/config/manager_image_patch_template.yaml b/config/manager_image_patch_template.yaml deleted file mode 100644 index ea9d95beb9f..00000000000 --- a/config/manager_image_patch_template.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# You can copy this file to manager_image_patch.yaml to specify a prebuilt image -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - # Change the value of image field below to your controller image URL - - image: - name: manager From bfa9a8a5f258e14dc488ae3245bddaaa0abd0300 Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Tue, 30 Apr 2019 10:56:46 -0700 Subject: [PATCH 09/11] fix gitignore Signed-off-by: Craig Tabita --- .gitignore | 2 +- config/manager_image_patch.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index b30fa4fd18e..4154dc8a131 100644 --- a/.gitignore +++ b/.gitignore @@ -16,7 +16,7 @@ bin *.out # Manager image patch file -/config/manager_image_patch.yaml +config/manager_image_patch.yaml # Kubernetes Generated files - skip generated files, except for vendored files diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.yaml index dc548131e1e..93dc05443ab 100644 --- a/config/manager_image_patch.yaml +++ b/config/manager_image_patch.yaml @@ -7,6 +7,6 @@ spec: template: spec: containers: - # Change the value of image field below to your controller image URL - - image: gcr.io/ctab-gatekeeper/open-policy-agent/gatekeeper:latest - name: manager \ No newline at end of file + # Change the value of image field below to your controller image URL + - image: + name: manager From 62045ca9b9e2c724847505ddb2189f30b176079e Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Tue, 30 Apr 2019 14:27:45 -0700 Subject: [PATCH 10/11] add patch file to make file Signed-off-by: Craig Tabita --- Makefile | 17 ++++++++++++++++- README.md | 8 +------- config/manager_image_patch.yaml | 12 ------------ 3 files changed, 17 insertions(+), 20 deletions(-) delete mode 100644 config/manager_image_patch.yaml diff --git a/Makefile b/Makefile index 7c4234e4efa..759e5f387d5 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,18 @@ LDFLAGS := "-X github.com/open-policy-agent/gatekeeper/version.Version=$(VERSION -X github.com/open-policy-agent/gatekeeper/version.Timestamp=$(BUILD_TIMESTAMP) \ -X github.com/open-policy-agent/gatekeeper/version.Hostname=$(BUILD_HOSTNAME)" +MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\ +\nkind: StatefulSet\ +\nmetadata:\ +\n name: controller-manager\ +\n namespace: system\ +\nspec:\ +\n template:\ +\n spec:\ +\n containers:\ +\n - image: \ +\n name: manager" + all: test manager # Run tests @@ -96,7 +108,10 @@ docker-push-release: docker-tag-release docker-build: docker build . -t ${IMG} @echo "updating kustomize image patch file for manager resource" - sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml + + @test -s ./config/manager_image_patch.yaml || bash -c 'echo -e ${MANAGER_IMAGE_PATCH} > ./config/manager_image_patch.yaml' + + @sed -i'' -e 's@image: .*@image: '"${IMG}"'@' ./config/manager_image_patch.yaml docker-build-ci: docker build . -t $(IMG) -f Dockerfile_ci diff --git a/README.md b/README.md index 5aabaf93bbb..54c857ab960 100644 --- a/README.md +++ b/README.md @@ -62,13 +62,7 @@ Currently the most reliable way of installing Gatekeeper is to build and install #### Deploying a Release using Prebuilt Image -If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then first copy the following kustomize configuration patch: - - ```sh - cp config/manager_image_patch_template.yaml config/manager_image_patch.yaml - ``` - -Then modify the new manager_image_patch.yaml file to point to your prebuilt image. Finally, run the following: +If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: ```sh kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper-constraint.yaml diff --git a/config/manager_image_patch.yaml b/config/manager_image_patch.yaml deleted file mode 100644 index 93dc05443ab..00000000000 --- a/config/manager_image_patch.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: controller-manager - namespace: system -spec: - template: - spec: - containers: - # Change the value of image field below to your controller image URL - - image: - name: manager From 3d256ca938b93e686de04d2c9b59c12f478e4e5d Mon Sep 17 00:00:00 2001 From: Craig Tabita Date: Tue, 30 Apr 2019 17:22:30 -0700 Subject: [PATCH 11/11] add touch to make deploy Signed-off-by: Craig Tabita --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 759e5f387d5..ec72883cc9d 100644 --- a/Makefile +++ b/Makefile @@ -62,6 +62,7 @@ install: manifests # Deploy controller in the configured Kubernetes cluster in ~/.kube/config deploy: manifests + touch -a ./config/manager_image_patch.yaml kubectl apply -f config/crds kubectl apply -f vendor/github.com/open-policy-agent/frameworks/constraint/config/crds kustomize build config | kubectl apply -f -