Re-generation of existing ConstraintTemplates and Constraints overwrites fields about konstraint HOT 7 CLOSED

This sounds reasonable to me. Let myself or @jalseth know if you need any help working on this if you decide to pick it up 👍

from konstraint.

very good tool and thanks a lot for it
I'm having the same issue here
with,

  excludedNamespaces:
      - gatekeeper-system
      - kube-system
      - istio-system

it overwrites all the file, I may be able to solve the problem by using Kustomize, but this feature will help me as well
I will stay updated

Update :

for now I'm using Kustomize

to over-overwrite the contraint.yaml

bases:
  - template.yaml
  - constraint.yaml
patches:
  - overwrite-exclude-namespace.yaml

from konstraint.

We now (as of a few minutes ago) support generating the OpenAPIV3Schema validation using the @parameter tag in the header comment block, so that is the preferred way forward for that item.

@Pierre-Mike Typically, when people want to exclude the *-system namespaces, they want to apply that for all of their policies, and not just one. In that case, it would be best to use the Config CRD for Gatekeeper (https://github.com/open-policy-agent/gatekeeper/#exempting-namespaces-from-gatekeeper) which will apply globally within the cluster. Does that work for your use case or are you trying to add these exemptions for individual policies?

from konstraint.

Hi @jalseth,
Can you please give an example of how to include the schema spec using @parameter annotation?
Currently in order to generate validation.openAPIV3Schema field for the constraint templates, I'm using scripting utilities like yq/jq to decorate the final resources (Schemas for a policy is extracted from external source).

Is it possible to allow passing a json string as a @schema annotation and merge the structural schema in the generated resource?

Example ./mypolicy.rego

# @title mypolicy 
#
# @kinds apps/DaemonSet apps/Deployment apps/StatefulSet core/Pod
# @parameter apiVersion string
# @parameter kind string
# @parameter metadata object
# @parameter spec object
$ @schema '{ \"properties\": {\"apiVersion\": {\"description\": \"...\",\"type\": \"string\"},\"kind\": {\"description\": \"...\",\"type\": \"string\"},\"metadata\": {\"type\": \"object\",\"properties\": {  \"labels\": { \"type\": \"object\" }}},\"spec\": {\"type\": \"object\",\"properties\": \"....\"} }}'
package mypolicy 

....

Generated ./template_Mypolicy.yaml

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: mypolicy
spec:
  crd:
    spec:
      names:
        kind: Mypolicy
      validation:
        openAPIV3Schema:
            properties:
                apiVersion:
                    description: "..."
                    type: string
                kind:
                    description: "..."
                    type: string
                metadata:
                    type: object
                    properties:
                        labels:
                            type: object
                spec:
                    type: object
                    properties:
                        ....

  targets:
    - libs:  ...

Any thoughts?

from konstraint.

Actually I just saw how the function getOpenAPISchemaProperties to extract parameters data types from the comment header..

from konstraint.

@rawc0der the documentation on using the @parameter tag is here https://github.com/plexsystems/konstraint/blob/main/docs/constraint_creation.md#using-input-parameters

from konstraint.

Now that Konstraint supports parameters and @skip-constraint, this issue has been addressed. If you want namespace targeting, exceptions, etc. for your policy to apply globally, you can include them in the Rego. Otherwise, it is expected that the Constraint resources are managed outside of Konstraint's flows.

from konstraint.