Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add enforcementAction to status #180

Merged
merged 2 commits into from
Jul 11, 2019
Merged

Add enforcementAction to status #180

merged 2 commits into from
Jul 11, 2019

Conversation

ritazh
Copy link
Member

@ritazh ritazh commented Jul 10, 2019
edited
Loading

Signed-off-by: Rita Zhang rita.z.zhang@gmail.com

@timothyhinrichs @maxsmythe
Per our discussion for the Dry Run design proposal, this PR updates the status field of Constraint object to include the enforcementAction the violation resulted from.

Example of a Constraint's status field as a result of this PR:

status:
  auditTimestamp: "2019-07-10T06:06:29Z"
  byPod:
  - enforced: true
    id: gatekeeper-controller-manager-0
  violations:
  - enforcementAction: deny
    kind: Pod
    message: 'you must provide labels: {"gatekeeper"}'
    name: nginx-4rfps
    namespace: test
  - enforcementAction: deny
    kind: Pod
    message: 'you must provide labels: {"gatekeeper"}'
    name: nginx-xrxjk
    namespace: test

Once we have implemented the dry run feature, it could be something like:
Constraint for prod

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: K8sRequiredLabels
metadata:
  name: pod-must-have-gk-prod
spec:
  enforcementAction: dryrun
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "production"
  parameters:
    labels: ["gatekeeper"]
status:
  auditTimestamp: "2019-07-10T06:06:29Z"
  byPod:
  - enforced: true
    id: gatekeeper-controller-manager-0
  violations:
  - enforcementAction: dryrun
    kind: Pod
    message: 'you must provide labels: {"gatekeeper"}'
    name: nginx-xrxjk
    namespace: production

Constraint for dev

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: K8sRequiredLabels
metadata:
  name: pod-must-have-gk-dev
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "dev"
  parameters:
    labels: ["gatekeeper"]
status:
  auditTimestamp: "2019-07-10T06:06:29Z"
  byPod:
  - enforced: true
    id: gatekeeper-controller-manager-0
  violations:
  - enforcementAction: deny
    kind: Pod
    message: 'you must provide labels: {"gatekeeper"}'
    name: nginx-xrxjk
    namespace: dev

@ritazh
Add violationByAction to status
9fa323d 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
maxsmythe
maxsmythe requested changes Jul 10, 2019
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after nits

pkg/audit/manager.go Outdated Show resolved Hide resolved
pkg/audit/manager.go Outdated Show resolved Hide resolved
@timothyhinrichs
Copy link
Member

LGTM.

'violations' instead of 'violationsByAction' (like we agreed to the other day) makes sense to me given that the value is an array of objects. It's clean that the enforcementaction is just another field.

@ritazh
Revert to violations
448eb5c 
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
@ritazh ritazh changed the title Add violationByAction to status Add enforcementAction to status Jul 11, 2019
maxsmythe
maxsmythe approved these changes Jul 11, 2019
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ritazh ritazh merged commit a4473f9 into open-policy-agent:master Jul 11, 2019
maxsmythe pushed a commit that referenced this pull request Jul 17, 2019
@adrianludwin @maxsmythe
Add enforcementAction to status (#180) (#185)
2e97204 
* Add violationByAction to status

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

* Revert to violations

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
cmccart750 pushed a commit to cmccart750/gatekeeper that referenced this pull request Jul 23, 2019
@adrianludwin @cmccart750
Add enforcementAction to status (open-policy-agent#180) (open-policy-…
7e46f64 
…agent#185)

* Add violationByAction to status

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>

* Revert to violations

Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
Signed-off-by: Cameron McCarthy <camm@google.com>
dhaiducek added a commit to dhaiducek/gatekeeper that referenced this pull request Jan 15, 2024
@openshift-cherrypick-robot @dhaiducek
Set TLS minimum version to 1.2 (open-policy-agent#180)
8709d2f 
ref: https://issues.redhat.com/browse/ACM-6233

Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
Co-authored-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
dhaiducek added a commit to dhaiducek/gatekeeper that referenced this pull request Feb 14, 2024
@openshift-cherrypick-robot @dhaiducek @mprahl
Set TLS minimum version to 1.2 (open-policy-agent#180)
f89d415 
ref: https://issues.redhat.com/browse/ACM-6233

Signed-off-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
Co-authored-by: Dale Haiducek <19750917+dhaiducek@users.noreply.github.com>
Signed-off-by: Yi Rae Kim <yikim@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxsmythe maxsmythe maxsmythe approved these changes

@timothyhinrichs timothyhinrichs Awaiting requested review from timothyhinrichs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ritazh @timothyhinrichs @maxsmythe