Skip to content

Commit

Permalink
Add overriding webhook operations
Browse files Browse the repository at this point in the history
Signed-off-by: Yi Rae Kim <[email protected]>
  • Loading branch information
yiraeChristineKim committed Oct 31, 2023
1 parent 0838887 commit b7e2df7
Show file tree
Hide file tree
Showing 12 changed files with 197 additions and 35 deletions.
8 changes: 8 additions & 0 deletions .github/workflows/ci_tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,10 @@ jobs:
echo "::group::Operator Logs"
cat operator.log
echo "::endgroup::"
echo "::group::Deployments"
kubectl -n gatekeeper-system get deployments -o yaml
echo "::endgroup::"
configsync-e2e-test:
name: Run configsync e2e tests
Expand Down Expand Up @@ -134,6 +138,10 @@ jobs:
echo "::group::Operator Logs"
cat operator.log
echo "::endgroup::"
echo "::group::Deployments"
kubectl -n gatekeeper-system get deployments -o yaml
echo "::endgroup::"
gatekeeper-e2e-tests:
name: Run gatekeeper e2e tests
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/gatekeeper_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,9 +127,14 @@ type WebhookConfig struct {
// +optional
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
// +optional
Operations *[]OperationType `json:"operations,omitempty"`
// +optional
DisabledBuiltins []string `json:"disabledBuiltins,omitempty"`
}

// +kubebuilder:validation:Enum:=CONNECT;CREATE;UPDATE;DELETE;*
type OperationType admregv1.OperationType

// +kubebuilder:validation:Enum:=DEBUG;INFO;WARNING;ERROR
type LogLevelMode string

Expand Down
9 changes: 9 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -367,6 +367,8 @@ spec:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
Expand Down Expand Up @@ -403,6 +405,8 @@ spec:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
securityContext:
runAsNonRoot: true
serviceAccountName: gatekeeper-operator-controller-manager
Expand Down
11 changes: 11 additions & 0 deletions bundle/manifests/operator.gatekeeper.sh_gatekeepers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1085,6 +1085,17 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
operations:
items:
description: OperationType specifies an operation for a request.
enum:
- CONNECT
- CREATE
- UPDATE
- DELETE
- '*'
type: string
type: array
replicas:
format: int32
minimum: 0
Expand Down
11 changes: 11 additions & 0 deletions config/crd/bases/operator.gatekeeper.sh_gatekeepers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1085,6 +1085,17 @@ spec:
"value". The requirements are ANDed.
type: object
type: object
operations:
items:
description: OperationType specifies an operation for a request.
enum:
- CONNECT
- CREATE
- UPDATE
- DELETE
- '*'
type: string
type: array
replicas:
format: int32
minimum: 0
Expand Down
2 changes: 2 additions & 0 deletions config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ spec:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- name: manager
args:
- "--health-probe-bind-address=:8081"
Expand Down
2 changes: 2 additions & 0 deletions config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ spec:
imagePullPolicy: Always
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Expand Down
12 changes: 12 additions & 0 deletions config/samples/gatekeeper_operations.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: operator.gatekeeper.sh/v1alpha1
kind: Gatekeeper
metadata:
name: gatekeeper
spec:
# Add fields here
webhook:
operations:
- CREATE
- UPDATE
- DELETE
- CONNECT
46 changes: 46 additions & 0 deletions controllers/gatekeeper_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/event"
"sigs.k8s.io/controller-runtime/pkg/predicate"

"github.com/gatekeeper/gatekeeper-operator/api/v1alpha1"
operatorv1alpha1 "github.com/gatekeeper/gatekeeper-operator/api/v1alpha1"
"github.com/gatekeeper/gatekeeper-operator/controllers/merge"
"github.com/gatekeeper/gatekeeper-operator/pkg/platform"
Expand Down Expand Up @@ -620,6 +621,7 @@ func webhookOverrides(obj *unstructured.Unstructured, webhook *operatorv1alpha1.
return nil
}

// override common properties
func webhookConfigurationOverrides(
obj *unstructured.Unstructured,
webhook *operatorv1alpha1.WebhookConfig,
Expand All @@ -644,9 +646,15 @@ func webhookConfigurationOverrides(
return err
}
}

if err := setOperators(obj, webhook.Operations, webhookName); err != nil {
return err
}

if err := setNamespaceSelector(obj, webhook.NamespaceSelector, gatekeeperNamespace, webhookName); err != nil {
return err
}

} else if err := setNamespaceSelector(obj, nil, gatekeeperNamespace, webhookName); err != nil {
return err
}
Expand Down Expand Up @@ -963,6 +971,44 @@ func setNamespaceSelector(
return setWebhookConfigurationWithFn(obj, webhookName, setNamespaceSelectorFn)
}

func setOperators(
obj *unstructured.Unstructured, operations *[]v1alpha1.OperationType, webhookName string,
) error {
// If no operations is provided, no override for operations
if operations == nil {
return nil
}

setOperatorsFn := func(webhook map[string]interface{}) error {
rules := webhook["rules"].([]interface{})
if rules[0] == nil {
return nil
}

converted := make([]interface{}, len(*operations))
for i, op := range *operations {
converted[i] = string(op)
}

firtRuleObj := rules[0].(map[string]interface{})
newfirstRule := map[string]interface{}{
"apiGroups": firtRuleObj["apiGroups"],
"apiVersions": firtRuleObj["apiVersions"],
"operations": converted,
"resources": firtRuleObj["resources"],
"scope": firtRuleObj["scope"],
}

if err := unstructured.SetNestedSlice(webhook, []interface{}{newfirstRule}, "rules"); err != nil {
return errors.Wrapf(err, "Failed to set webhook namespace selector")
}

return nil
}

return setWebhookConfigurationWithFn(obj, webhookName, setOperatorsFn)
}

// Generic setters

func setAffinity(obj *unstructured.Unstructured, spec operatorv1alpha1.GatekeeperSpec) error {
Expand Down
4 changes: 4 additions & 0 deletions deploy/gatekeeper-operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1705,6 +1705,8 @@ spec:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
Expand Down Expand Up @@ -1738,6 +1740,8 @@ spec:
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
Expand Down
Loading

0 comments on commit b7e2df7

Please sign in to comment.