Giter Site home page Giter Site logo

gatekeeper / gatekeeper-operator Goto Github PK

View Code? Open in Web Editor NEW
38.0 5.0 25.0 9.11 MB

Archived: Use github.com/stolostron/gatekeeper-operator

Home Page: https://github.com/stolostron/gatekeeper-operator

License: Apache License 2.0

Dockerfile 0.95% Makefile 10.82% Go 87.43% Shell 0.80%

gatekeeper-operator's Introduction

Archived: Use stolostron/gatekeeper-operator

OPA Gatekeeper Operator

CI-Tests OLM-Tests Create Release Image Docker Repository on Quay

Operator for OPA Gatekeeper

Design

Please see the Gatekeeper Operator design document located at https://docs.google.com/document/d/1Nxw4Agq6nJrPL24fJPiTXtjtLQRsLJtHo9x5urwYB_I/edit?usp=sharing for some background information.

Installation

To install the Gatekeeper Operator, you can either run it outside the cluster, for faster iteration during development, or inside the cluster.

But first we require installing the Operator CRD:

make install

Then proceed to the installation method you prefer below.

Note: By default, docker is used to build and push images in Makefile. To use podman instead, set DOCKER=podman when calling make.

Outside the Cluster

If you would like to run the Gatekeeper Operator outside the cluster, the operator will use the default namespace to deploy Gatekeeper. If instead you would like to have the operator deploy Gatekeeper to a different namespace, then set the NAMESPACE environment variable. To do that just execute:

make run NAMESPACE=<namespace>

Inside the Cluster

If you would like to run the Operator inside the cluster, you'll need to build a container image. You can use a local private registry, or host it on a public registry service like quay.io.

  1. Build your image: 
    make docker-build IMG=<registry>/<imagename>:<tag>
  2. Push the image: 
    make docker-push IMG=<registry>/<imagename>:<tag>
  3. Deploy the Operator: 
    make deploy IMG=<registry>/<imagename>:<tag>

You can also specify in which namespace you want the operator to be deployed to by providing the NAMESPACE variable. If not provided the default namespace will be gatekeeper-system.

make deploy IMG=<registry>/<imagename>:tag NAMESPACE=mygatekeeper

Deploy Operator using OLM

If you would like to deploy Operator using OLM, you'll need to build and push the bundle image and index image. You need to host the images on a public registry service like quay.io.

  1. Build your bundle image

    make bundle-build REPO=<registry>

  2. Push the bundle image

    make docker-push IMG=<bundle image name>

  3. Build the index image

    This make target will install opm if it is not already installed. If you would like to install it in your PATH manually instead, get it from here.

    make bundle-index-build REPO=<registry>

  4. Push the index image

    make docker-push IMG=<index image name>

  5. Create the CatalogSource/OperatorGroup/Subscription

    ---
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: gatekeeper-operator
  namespace: gatekeeper-system
spec:
  displayName: Gatekeeper Operator Upstream
  image: <index image name>
  publisher: github.com/gatekeeper/gatekeeper-operator
  sourceType: grpc
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: gatekeeper-operator
  namespace: gatekeeper-system
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: gatekeeper-operator-sub
  namespace: gatekeeper-system
spec:
  name: gatekeeper-operator
  channel: alpha
  source: gatekeeper-operator
  sourceNamespace: gatekeeper-system

Usage

Before using Gatekeeper you have to create a gatekeeper resource that will be consumed by the operator and create all the necessary resources for you.

Here you can find an example of a gatekeeper resource definition:

apiVersion: operator.gatekeeper.sh/v1alpha1
kind: Gatekeeper
metadata:
  name: gatekeeper
spec:
  # Add fields here
  audit:
    replicas: 1
    logLevel: ERROR

If nothing is defined in the spec, the default values will be used. In the example above the number of replicas for the audit pod is set to 1 and the logLevel to ERROR where the default is INFO.

The default behaviour for the ValidatingWebhookConfiguration is ENABLED, that means that it will be created. To disable the ValidatingWebhookConfiguration deployment, set the validatingWebhook spec property to DISABLED.

In order to create an instance of gatekeeper in the specified namespace you can start from one of the sample configurations.

kubectl create -f config/samples/operator_v1alpha1_gatekeeper.yaml

gatekeeper-operator's People

Contributors

dhaiducek avatar fedepaol avatar font avatar jaormx avatar justinkuli avatar mprahl avatar ruromero avatar sabinaaledort avatar sabre1041 avatar tchughesiv avatar willkutler avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

akoserwal fedepaol tchughesiv jaormx ruromero willkutler stolostron font sabre1041 ycao56 mmirecki sabinaaledort thomasmckay redhat-demo justinkuli gmcbrien crelan-development lmt-cbs mprahl dhaiducek stuartwdouglas

gatekeeper-operator's Issues

gatekeeper operator bundle doesn't work on openshift 4.4

CSV stuck in pending state due to Policy rule not satisfied for service account. It works on ocp 4.5 and 4.6.

apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
  annotations:
    alm-examples: |-
      [
        {
          "apiVersion": "operator.gatekeeper.sh/v1alpha1",
          "kind": "Gatekeeper",
          "metadata": {
            "name": "gatekeeper"
          },
          "spec": {
            "audit": {
              "logLevel": "INFO",
              "replicas": 1
            },
            "image": {
              "image": "docker.io/openpolicyagent/gatekeeper:v3.2.2"
            },
            "validatingWebhook": "Enabled",
            "webhook": {
              "logLevel": "INFO",
              "replicas": 2
            }
          }
        }
      ]
    capabilities: Basic Install
    olm.operatorGroup: gatekeeper-operator
    olm.operatorNamespace: openshift-gatekeeper-operator
    olm.targetNamespaces: ''
    operators.operatorframework.io/builder: operator-sdk-v1.2.0
    operators.operatorframework.io/project_layout: go.kubebuilder.io/v2
  selfLink: >-
    /apis/operators.coreos.com/v1alpha1/namespaces/openshift-gatekeeper-operator/clusterserviceversions/gatekeeper-operator.v0.0.1
  resourceVersion: '126038'
  name: gatekeeper-operator.v0.0.1
  uid: 74ae41cc-dc64-480f-b2a4-20fb89efd2fe
  creationTimestamp: '2021-01-06T00:40:14Z'
  generation: 1
  namespace: openshift-gatekeeper-operator
  labels:
    olm.api.f3883f973f52868e: provided
spec:
  customresourcedefinitions:
    owned:
      - description: Gatekeeper is the Schema for the gatekeepers API
        displayName: Gatekeeper
        kind: Gatekeeper
        name: gatekeepers.operator.gatekeeper.sh
        version: v1alpha1
  apiservicedefinitions: {}
  keywords:
    - Gatekeeper
  displayName: Gatekeeper Operator
  provider:
    name: Red Hat
  maturity: alpha
  installModes:
    - supported: false
      type: OwnNamespace
    - supported: false
      type: SingleNamespace
    - supported: false
      type: MultiNamespace
    - supported: true
      type: AllNamespaces
  version: 0.0.1
  icon:
    - base64data: ''
      mediatype: ''
  links:
    - name: Gatekeeper Operator
      url: 'https://github.com/gatekeeper/gatekeeper-operator'
  install:
    spec:
      clusterPermissions:
        - rules:
            - apiGroups:
                - '*'
              resources:
                - '*'
              verbs:
                - get
                - list
                - watch
            - apiGroups:
                - admissionregistration.k8s.io
              resources:
                - validatingwebhookconfigurations
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - apiextensions.k8s.io
              resources:
                - customresourcedefinitions
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - config.gatekeeper.sh
              resources:
                - configs
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - config.gatekeeper.sh
              resources:
                - configs/status
              verbs:
                - get
                - patch
                - update
            - apiGroups:
                - constraints.gatekeeper.sh
              resources:
                - '*'
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - operator.gatekeeper.sh
              resources:
                - gatekeepers
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - operator.gatekeeper.sh
              resources:
                - gatekeepers/finalizers
              verbs:
                - delete
                - get
                - patch
                - update
            - apiGroups:
                - operator.gatekeeper.sh
              resources:
                - gatekeepers/status
              verbs:
                - get
                - patch
                - update
            - apiGroups:
                - policy
              resources:
                - podsecuritypolicies
              verbs:
                - create
                - delete
                - update
                - use
            - apiGroups:
                - rbac.authorization.k8s.io
              resources:
                - clusterrolebindings
                - clusterroles
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - status.gatekeeper.sh
              resources:
                - '*'
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - templates.gatekeeper.sh
              resources:
                - constrainttemplates
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - templates.gatekeeper.sh
              resources:
                - constrainttemplates/finalizers
              verbs:
                - delete
                - get
                - patch
                - update
            - apiGroups:
                - templates.gatekeeper.sh
              resources:
                - constrainttemplates/status
              verbs:
                - get
                - patch
                - update
            - apiGroups:
                - ''
              resources:
                - namespaces
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - security.openshift.io
              resourceNames:
                - anyuid
              resources:
                - securitycontextconstraints
              verbs:
                - use
            - apiGroups:
                - authentication.k8s.io
              resources:
                - tokenreviews
              verbs:
                - create
            - apiGroups:
                - authorization.k8s.io
              resources:
                - subjectaccessreviews
              verbs:
                - create
          serviceAccountName: default
      deployments:
        - name: gatekeeper-operator-controller-manager
          spec:
            replicas: 1
            selector:
              matchLabels:
                control-plane: controller-manager
            strategy: {}
            template:
              metadata:
                creationTimestamp: null
                labels:
                  control-plane: controller-manager
              spec:
                containers:
                  - args:
                      - '--secure-listen-address=0.0.0.0:8443'
                      - '--upstream=http://127.0.0.1:8080/'
                      - '--logtostderr=true'
                      - '--v=10'
                    image: 'gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0'
                    name: kube-rbac-proxy
                    ports:
                      - containerPort: 8443
                        name: https
                    resources: {}
                  - args:
                      - '--metrics-addr=127.0.0.1:8080'
                      - '--enable-leader-election'
                    command:
                      - /manager
                    image: 'quay.io/gatekeeper/gatekeeper-operator:latest'
                    imagePullPolicy: Always
                    name: manager
                    resources:
                      limits:
                        cpu: 100m
                        memory: 30Mi
                      requests:
                        cpu: 100m
                        memory: 20Mi
                terminationGracePeriodSeconds: 10
      permissions:
        - rules:
            - apiGroups:
                - ''
              resources:
                - configmaps
              verbs:
                - get
                - list
                - watch
                - create
                - update
                - patch
                - delete
            - apiGroups:
                - ''
              resources:
                - configmaps/status
              verbs:
                - get
                - update
                - patch
            - apiGroups:
                - ''
              resources:
                - events
              verbs:
                - create
                - patch
            - apiGroups:
                - apps
              resources:
                - deployments
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - ''
              resources:
                - secrets
                - serviceaccounts
                - services
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
            - apiGroups:
                - rbac.authorization.k8s.io
              resources:
                - rolebindings
                - roles
              verbs:
                - create
                - delete
                - get
                - list
                - patch
                - update
                - watch
          serviceAccountName: default
    strategy: deployment
  maintainers:
    - email: [email protected]
      name: Ivan Font
  description: Operator for OPA Gatekeeper
status:
  conditions:
    - lastTransitionTime: '2021-01-06T00:40:14Z'
      lastUpdateTime: '2021-01-06T00:40:14Z'
      message: requirements not yet checked
      phase: Pending
      reason: RequirementsUnknown
    - lastTransitionTime: '2021-01-06T00:40:14Z'
      lastUpdateTime: '2021-01-06T00:40:14Z'
      message: one or more requirements couldn't be found
      phase: Pending
      reason: RequirementsNotMet
  lastTransitionTime: '2021-01-06T00:40:14Z'
  lastUpdateTime: '2021-01-06T00:40:14Z'
  message: one or more requirements couldn't be found
  phase: Pending
  reason: RequirementsNotMet
  requirementStatus:
    - group: apiextensions.k8s.io
      kind: CustomResourceDefinition
      message: CRD is not present
      name: gatekeepers.operator.gatekeeper.sh
      status: NotPresent
      version: v1beta1
    - dependents:
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["get","list","watch","create","update","patch","delete"],"apiGroups":[""],"resources":["configmaps"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["get","update","patch"],"apiGroups":[""],"resources":["configmaps/status"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["create","patch"],"apiGroups":[""],"resources":["events"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apps"],"resources":["deployments"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["secrets","serviceaccounts","services"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            namespaced
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["rbac.authorization.k8s.io"],"resources":["rolebindings","roles"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["get","list","watch"],"apiGroups":["*"],"resources":["*"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["admissionregistration.k8s.io"],"resources":["validatingwebhookconfigurations"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["apiextensions.k8s.io"],"resources":["customresourcedefinitions"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["config.gatekeeper.sh"],"resources":["configs"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["get","patch","update"],"apiGroups":["config.gatekeeper.sh"],"resources":["configs/status"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["constraints.gatekeeper.sh"],"resources":["*"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["operator.gatekeeper.sh"],"resources":["gatekeepers"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["delete","get","patch","update"],"apiGroups":["operator.gatekeeper.sh"],"resources":["gatekeepers/finalizers"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["get","patch","update"],"apiGroups":["operator.gatekeeper.sh"],"resources":["gatekeepers/status"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","update","use"],"apiGroups":["policy"],"resources":["podsecuritypolicies"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["rbac.authorization.k8s.io"],"resources":["clusterrolebindings","clusterroles"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["status.gatekeeper.sh"],"resources":["*"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":["templates.gatekeeper.sh"],"resources":["constrainttemplates"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["delete","get","patch","update"],"apiGroups":["templates.gatekeeper.sh"],"resources":["constrainttemplates/finalizers"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["get","patch","update"],"apiGroups":["templates.gatekeeper.sh"],"resources":["constrainttemplates/status"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create","delete","get","list","patch","update","watch"],"apiGroups":[""],"resources":["namespaces"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["use"],"apiGroups":["security.openshift.io"],"resources":["securitycontextconstraints"],"resourceNames":["anyuid"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create"],"apiGroups":["authentication.k8s.io"],"resources":["tokenreviews"]}
          status: NotSatisfied
          version: v1beta1
        - group: rbac.authorization.k8s.io
          kind: PolicyRule
          message: >-
            cluster
            rule:{"verbs":["create"],"apiGroups":["authorization.k8s.io"],"resources":["subjectaccessreviews"]}
          status: NotSatisfied
          version: v1beta1
      group: ''
      kind: ServiceAccount
      message: Policy rule not satisfied for service account
      name: default
      status: PresentNotSatisfied
      version: v1

Verify OLM support

This issue tracks the work to verify that having the operator work without OLM does not have any impact when running with OLM. For example, do RBAC permissions need to be configured differently e.g. no wildcards, etc.?

Set up location to host operator images

This issue captures the work needed to set up a place to host operator image(s) on quay.io with a robot account that would handle updating the following images within CI (see #2):

  • An image would ideally get updated upon every PR merging, and tagged either as master or the commit SHA that triggered it.
  • An image that represented the particular release of this operator and tagged both with the release version (e.g. v0.0.1) and latest.

Consider using the escalate verb for RBAC resources in the operator roles

In addition to the permissions the operator needs to run, the operator is currently also granted all the permissions that are needed by gatekeeper because the operator creates the RBAC resources for gatekeeper itself: https://github.com/font/gatekeeper-operator/blob/3c4a16d9356ec9bf8a4d738c86b1a28104c73a86/controllers/gatekeeper_controller.go#L96-L117

Without this, K8s issues a privilege escalation error.

Instead of granting all the same individual permissions that gatekeeper needs, we could explicitly allow specifying any permission in a Role or ClusterRole by giving the operator permission to perform the escalate verb on roles or clusterroles resources.

two steps install experience

I built bundle and index image and tested the operator on OCP. Currently, the install experience is

  1. install gatekeeper operator
  2. create gatekeeper CR to create gatekeeper

Is this the experience we want to provide to customer to install gatekeeper?
Is it possible to create the gatekeeper CR by default?

Consider updating sample operator CR to include all possible config knobs for user reference in CSV

This should also update the CSV as part of the bundle generation so that the ALM examples annotation includes a complete example for users to reference:

gatekeeper-operator/bundle/manifests/gatekeeper-operator.clusterserviceversion.yaml

Lines 5 to 28 in 66712a1

alm-examples: |-
[
{
"apiVersion": "operator.gatekeeper.sh/v1alpha1",
"kind": "Gatekeeper",
"metadata": {
"name": "gatekeeper"
},
"spec": {
"audit": {
"logLevel": "INFO",
"replicas": 1
},
"image": {
"image": "docker.io/openpolicyagent/gatekeeper:v3.1.1"
},
"validatingWebhook": "Enabled",
"webhook": {
"logLevel": "INFO",
"replicas": 2
}
}
}
]

Gatekeeper manifest sync and storage

Gatekeeper manifests should be synced and statically stored as generated Go code within this code base and Operator CR fields would override the default values stored in the generated code. For this automated code generation we should use a tool like https://github.com/go-bindata/go-bindata that would turn Gatekeeper installation manifests into static assets in Go code.

Add support for uninstalling Gatekeeper

When the Gatekeeper CR named gatekeeper is deleted, all of the Gatekeeper related resources should be subsequently deleted. This is essentially the reverse of the installation path.

installModes options 

 installModes:
  - supported: false
    type: OwnNamespace
  - supported: false
    type: SingleNamespace
  - supported: false
    type: MultiNamespace
  - supported: true
    type: AllNamespaces

Currently the gatekeeper operator uses AllNamespaces install mode but it is not working as expected due to gatekeeper-operator needs to set ownerReferences on gatekeeper objects. If gatekeeper CR is created in a namespace different than gatekeeper-operator's namespace, you will see following errors:

2020-11-17T21:56:37.061Z ERROR controller Reconciler error {"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "openshift-openstack-infra", "error": "Unable to deploy Gatekeeper resources: Unable to set controller reference for gatekeeper-system/gatekeeper-webhook-server-cert: cross-namespace owner references are disallowed, owner's namespace openshift-openstack-infra, obj's namespace gatekeeper-system", "errorVerbose": "cross-namespace owner references are disallowed, owner's namespace openshift-openstack-infra, obj's namespace gatekeeper-system\nUnable to set controller reference for gatekeeper-system/gatekeeper-webhook-server-cert\ngithub.com/font/gatekeeper-operator/controllers.

So in my opinion, the OwnNamespace install mode is more appropriate.

CRD v1 doesn't work with ocp 4.5 catalog

Today gatekeeper CRD is defined using apiVersion: apiextensions.k8s.io/v1. However, this is not going to work with ocp 4.5 meaning it will not show up in operator hub catalog on ocp 4.5 due to the way how bundles are being built for ocp 4.5.

From cicd team:

Once we moved the acm bundle to start including v1 instead of just v1beta1 , we started getting some errors from the container verification pipeline (i.e. sanity checks after the builds complete). After talking with the CVP team, it looks like the only option is to remove all instances of v1 until we no longer need to backport our bundle (i.e. until we no longer support OCP 4.5).

Support validation in the Gatekeeper Operator

This tracks the work to add support for validating the Gatekeeper Operator CRD. Additionally, validation is required to enforce immutability properties that may be necessary. The Gatekeeper Operator should implement validation using:

A validating admission controller webhook should be considered if either:

  • validation of complex fields is necessary
  • immutability properties for certain fields in the Gatekeeper Operator API, or indirectly in the Gatekeeper API, are required to be enforced

Support defaulting for Gatekeeper Operator CRD

The Gatekeeper Operator will support some level of defaulting for various omitted fields that are not required in the Gatekeeper CRD. The list of fields that are optional are captured in the CRD API. The defaulting behavior will be done by either:

  1. As part of CRD defaulting markers when defining the Go struct https://book.kubebuilder.io/reference/markers/crd-validation.html.
  2. As part of an Operator mutating admission webhook that is deployed as part of the Operator.

It's preferred to use option 1 wherever possible.

Do not run CI jobs for changes to docs

#121 introduced a way to ignore docs related changes from running CI jobs using the GitHub Actions paths-ignore workflow syntax. However, this does not work for jobs that are required to pass before merging (branch protection rule) because the PR will block forever without being merge-able. Once GitHub adds that feature (see https://github.community/t/feature-request-conditional-required-checks/16761 for feature request), enable it. Otherwise consider something like https://github.com/fkirc/skip-duplicate-actions for an alternative solution.

gatekeeper operator failed to set owner reference

looks like the operator is broken after #83 was merged
I am seeing following errors in the gatekeeper operator pod

W1217 02:38:46.628966       1 warnings.go:67] apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
2020-12-17T02:38:46.629Z	ERROR	controller	Reconciler error	{"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "", "error": "Unable to deploy Gatekeeper resources: Error attempting to create resource /configs.config.gatekeeper.sh: customresourcedefinitions.apiextensions.k8s.io \"configs.config.gatekeeper.sh\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>", "errorVerbose": "customresourcedefinitions.apiextensions.k8s.io \"configs.config.gatekeeper.sh\" is forbidden: cannot set blockOwnerDeletion if an ownerReference refers to a resource you can't set finalizers on: , <nil>\nError attempting to create resource /configs.config.gatekeeper.sh\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).updateOrCreateResource\n\t/workspace/controllers/gatekeeper_controller.go:253\ngithub.com/gatekeeper/gatekeeper-operator/controlle...
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90

Support installing gatekeeper to any namespace

Currently Gatekeeper only supports installing to the gatekeeper-system namespace. That's the default installation namespace that is specified in the Gatekeeper manifests that are imported from the upstream Gatekeeper repo. This issue is to try overriding the namespace in each of the Gatekeeper resources with the namespace being watched by the operator e.g. configured using the WATCH_NAMESPACE passed via the downward API. This is because the operator supports running in any namespace and will watch for gatekeeper CRs in that same namespace. Ideally it would be as easy as this to support installing Gatekeeper to any namespace. Otherwise, we may need to make changes to Gatekeeper itself to successfully support this.

Add ability to install Gatekeeper into separate namespace from operator's namespace

Currently in Kubernetes we support installing Gatekeeper into any namespace as long as that namespace is also where the operator is running.

This issue tracks the work necessary to have the operator install Gatekeeper into any namespace separate from where the operator is running.

On vanilla Kubernetes, the operator may be running in one namespace, but the user may want Gatekeeper to be installed to the gatekeeper-system canonical namespace, or another namespace separate from the operator's namespace.

On OpenShift, the operator may be installed into the openshift-operators namespace, but the operator should install Gatekeeper into a canonical namespace e.g. openshift-gatekeeper-system.

We should consider adding a namespace field to the Gatekeeper operator custom resource so the user could select which namespace is desired, and the operator should use a sane default if the user leaves it empty. This would require the operator to have permissions to create namespaces. Is this desirable?

Gatekeeper webhook failing in BATS E2E tests

In the process of working on PR #37, I'm seeing multiple connection refused errors such as:

# output: Error from server (InternalError): error when creating "test/bats/tests/sync.yaml": Internal error occurred: failed calling webhook "validation.gatekeeper.sh": Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admit?timeout=5s": dial tcp 10.96.85.246:443: connect: connection refused
...
...
# output: Error from server (InternalError): error when creating "test/bats/tests/good/no_dupe_ns.yaml": Internal error occurred: failed calling webhook "validation.gatekeeper.sh": Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admit?timeout=5s": dial tcp 10.96.85.246:443: connect: connection refused

This could be a problem with the Github actions runner environment as local testing does not exhibit these networking errors.

See https://github.com/font/gatekeeper-operator/runs/1415031065?check_suite_focus=true for failure caused by a connection refused when attempting to kubectl port-forward and eventually leads to a timeout occurring. See https://github.com/font/gatekeeper-operator/pull/37/checks?check_run_id=1415031065#step:7:170 for beginning of errors.

After skipping the port-forward test, additional failures are seen whenever we attempt to contact the gatekeeper admission controller webhook for policy validation. See https://github.com/font/gatekeeper-operator/pull/37/checks?check_run_id=1416807087#step:7:100 and https://github.com/font/gatekeeper-operator/pull/37/checks?check_run_id=1416807087#step:7:108 for some examples.

The following may be of relevance https://dev.to/richicoder1/how-we-connect-to-kubernetes-pods-from-github-actions-1mg.

Add CI testing

This issue captures the work needed to implement some level of CI testing using for example GitHub Actions. The CI tests would ideally run:

  • unit tests
  • e2e tests to verify successful operation of the operator e.g. successfully installs Gatekeeper

The CI testing would execute upon the creation or updating of PRs as well as any merges.

Apply operator CR API overrides

  • spec.image.image
  • spec.image.imagePullPolicy
  • spec.audit.replicas
  • spec.audit.auditInterval
  • spec.audit.constraintViolationLimit
  • spec.audit.auditFromCache
  • spec.audit.auditChunkSize
  • spec.audit.logLevel
  • spec.audit.emitAuditEvents
  • spec.validatingWebhook
  • spec.webhook.replicas
  • spec.webhook.logLevel
  • spec.webhook.emitAdmissionEvents
  • spec.webhook.failurePolicy
  • spec.nodeSelector
  • spec.affinity
  • spec.tolerations
  • spec.podAnnotations
  • spec.resources

Add support for installing Gatekeeper on OpenShift

The main differences to get Gatekeeper installed on OCP are around the Security Context Constraints and the seccomp profile annotations. See https://github.com/open-policy-agent/gatekeeper#running-on-openshift-4x for reference as well as https://github.com/redhat-cop/rego-policies/blob/b14ce1f9ec08e5eede257f0ecc5525a58cbb3a48/_test/deploy-gatekeeper.sh#L24-L58 for an older example.

Additionally, we would want to have a framework for supporting installing Gatekeeper on any Kubernetes distribution, OCP being one of them.

Add make recipe to undeploy the operator

Add the ability to undeploy the operator by adding a phony make target for undeploy so that a make undeploy will delete the operator manifests. That is, the recipe should perform the opposite of make deploy.

gatekeeper operator failed to deploy gatekeeper on OLM with error 

2020-12-17T14:04:04.046Z	ERROR	controller	Reconciler error	{"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "", "error": "Unable to deploy Gatekeeper resources: Error attempting to get resource /gatekeeper-webhook-server-cert: an empty namespace may not be set when a resource name is provided", "errorVerbose": "an empty namespace may not be set when a resource name is provided\nError attempting to get resource /gatekeeper-webhook-server-cert\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).updateOrCreateResource\n\t/workspace/controllers/gatekeeper_controller.go:258\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).deployGatekeeperResources\n\t/workspace/controllers/gatekeeper_controller.go:195\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).Reconcile\n\t/workspace/controllers/gatekeeper_controller.go:156\nsigs.k8s.io/controlle...
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90

missing permission to update scc on openshift

get following error when gatekeeper operator tries to install gatekeeper on openshift with OLM

2020-11-20T14:07:25.370Z	ERROR	controller	Reconciler error	{"reconcilerGroup": "operator.gatekeeper.sh", "reconcilerKind": "Gatekeeper", "controller": "gatekeeper", "name": "gatekeeper", "namespace": "gatekeeper-system", "error": "Unable to deploy Gatekeeper resources: Error attempting to create resource gatekeeper-system/gatekeeper-manager-role: roles.rbac.authorization.k8s.io \"gatekeeper-manager-role\" is forbidden: user \"system:serviceaccount:gatekeeper-system:default\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:gatekeeper-system\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"security.openshift.io\"], Resources:[\"securitycontextconstraints\"], ResourceNames:[\"anyuid\"], Verbs:[\"use\"]}", "errorVerbose": "roles.rbac.authorization.k8s.io \"gatekeeper-manager-role\" is forbidden: user \"system:serviceaccount:gatekeeper-system:default\" (groups=[\"system:serviceaccounts\" \"system:serviceaccounts:gatekeeper-system\" \"system:authenticated\"]) is attempting to grant RBAC permissions not currently held:\n{APIGroups:[\"security.openshift.io\"], Resources:[\"securitycontextconstraints\"], ResourceNames:[\"anyuid\"], Verbs:[\"use\"]}\nError attempting to create resource gatekeeper-system/gatekeeper-manager-role\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).updateOrCreateResource\n\t/workspace/controllers/gatekeeper_controller.go:280\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).deployGatekeeperResources\n\t/workspace/controllers/gatekeeper_controller.go:218\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).Reconcile\n\t/workspace/controllers/gatekeeper_controller.go:179\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:244\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1374\nUnable to deploy Gatekeeper resources\ngithub.com/gatekeeper/gatekeeper-operator/controllers.(*GatekeeperReconciler).Reconcile\n\t/workspace/controllers/gatekeeper_controller.go:181\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:244\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1374"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/workspace/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
	/workspace/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90

Support namespace selection for gatekeeper webhook

Currently the Gatekeeper webhook can ignore namespaces by adding an annotation to each namespace. However, this may not be feasible for some users. This issue is to add a feature to the operator API that allows a user to request namespaces for which gatekeeper should be enabled/disabled by having the operator automatically update the validatingwebhookconfiguration namespaceSelector field.

Cannot update webhook configurations

whenever i try to change the webhook configurations, i get this error:
"level":"error","ts":1614165913.2016525,"logger":"cert-rotation","msg":"secret is not well-formed, cannot update webhook configurations","error":"Cert secret is not well-formed, missing ca.crt"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.