Comments (13)
To clarify, do you mean to support kubectl --dry-run
for validation
not mutation
?
from gatekeeper.
+1 to this
from gatekeeper.
I can repro this:
kubectl apply -f bad.yaml --server-dry-run
Error from server (BadRequest): error when creating "bad.yaml": admission webhook "validation.gatekeeper.sh" does not support dry run
I think we need to implement this:
https://kubernetes.io/docs/reference/using-api/api-concepts/#make-a-dry-run-request
from gatekeeper.
+1
from gatekeeper.
If we update sideEffects: None
under webhooks
in the validation webhook config per https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#webhook-v1beta1-admissionregistration-k8s-io, then --server-dry-run
works as expected.
To prevent updating sideEffects
manually, there are two options:
- add
sideEffects
to kubebuilder as webhook builder does not expose this in kubebuilder v0.1.9
https://github.com/open-policy-agent/gatekeeper/blob/master///vendor/sigs.k8s.io/controller-runtime/pkg/webhook/admission/builder/builder.go#L33-L69 This would mean we have to vendor in the latest v0.1.x to support this. WDYT? @maxsmythe - deploy the validation webhook config manually instead of having kubebuilder to create it. Use the
enable-manual-deploy
flag.
from gatekeeper.
Does the webhook actually have any side effects? Or can I simply tweak this in our cluster as a workaround?
The lack of support for dry-run is currently the only thing that blocks us from using gatekeeper, as our deployment solution depends on this check.
from gatekeeper.
Currently no side effects. I'm not aware of any plans to add any in the near term.
The most likely candidate for side effects in the future would be enforcementAction
supporting actions like sendalert
from gatekeeper.
@cypherfox does option 2 work for you?
- deploy the validation webhook config manually instead of having kubebuilder to create it. Use the enable-manual-deploy flag.
When you deploy the validating webhook config, you can add sideEffects: None
under webhooks
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#webhook-v1beta1-admissionregistration-k8s-io, then --server-dry-run
works as expected.
from gatekeeper.
Yes, manual webhook deployment is ok as a workaround. I will check this, but am pretty sure. I will just throw the additional spec into our helm chart.
But it would create an additional redundancy, which we would need to track. So, over the mid-term I would prefer a kubebuilder based solution.
I have currently just edited the deployed config by hand, after starting the controller manager. Having this pet is ok for our initial setup phase.
from gatekeeper.
Ah, I just noticed: getting the CA bundle might get a bit fiddly.
Where do I get that from (in an automated manner)?
from gatekeeper.
secret is stored in the gatekeeper-system namespace:
kubectl get secrets -n gatekeeper-system gatekeeper-webhook-server-secret
Note that how keys are generated and integrated will change when we move to kubebuilder v2
from gatekeeper.
Thank you, found it (and should have found myself. /me is a bad elf! )
Unfortunately it will require a manual update, each time I restart the operator, because of kubernetes/kubernetes#72944.
This is currently a blocker for me to roll this out in production, as nobody can read secrets in our production cluster (they are all generated/populated automatically)
from gatekeeper.
With the newest release, this should work out-of-the-box
from gatekeeper.
Related Issues (20)
- Copy namespace labels to pod labels HOT 1
- AssignImage mutation to prepend string to existing image path HOT 3
- Broken Install Manifest (using 3.15) HOT 2
- migrate to stale action
- External Data Mutations on objects in request HOT 3
- Failure of Kubernetes Cluster Startup Due to `FailurePolicy=Fail` Parameter in Webhook HOT 5
- [docs] Update release guide after verifying recent release process changes in next release HOT 1
- cant seem to apply mutations HOT 1
- support - mutation or validation for custom policies? HOT 3
- order of evaluation for constraints and mutations HOT 1
- does it make sense to create customized rulesets for specific applications such as service meshes? HOT 2
- Exposing Prometheus metrics endpoint with HTTPS HOT 1
- ApiVersion update HOT 1
- Restrict ModifySet on specific action.
- move helmify readme to website
- update controller gen HOT 1
- [feat][expansion template] one disable annotation in constraint template to allow policy bypass expansion template HOT 2
- Resource violates rule but is created HOT 4
- Improve consistency in gator usage
- Policy is being flagged in the log but it is allowed to be created HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.