-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support different enforcement levels
- Loading branch information
Mengqi Yu
committed
Apr 2, 2021
1 parent
b191217
commit 48f2802
Showing
18 changed files
with
1,123 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletions
1
examples/validators/gatekeeper-validate/warning-only/.expected/config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| runCount: 2 |
14 changes: 14 additions & 0 deletions
14
examples/validators/gatekeeper-validate/warning-only/.expected/results.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| items: | ||
| - message: |- | ||
| The following banned keys are being used in the config map: {"private_key"} | ||
| violatedConstraint: no-secrets-in-configmap | ||
| severity: warning | ||
| resourceRef: | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: super-secret | ||
| namespace: default | ||
| file: | ||
| path: resources.yaml | ||
| index: 2 |
1 change: 1 addition & 0 deletions
1
examples/validators/gatekeeper-validate/warning-only/.krmignore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| .expected |
67 changes: 67 additions & 0 deletions
67
examples/validators/gatekeeper-validate/warning-only/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # gatekeeper-validate: warning only | ||
|
|
||
| ## Overview | ||
|
|
||
| This example is very similar to the invalid configmap example. The major | ||
| difference is that the violations are warnings instead of errors. | ||
|
|
||
| In the constraint, we use `enforcementAction: warn` instead of | ||
| `enforcementAction: deny`. | ||
|
|
||
| ## Function invocation | ||
|
|
||
| Get the package: | ||
|
|
||
| ```shell | ||
| $ kpt pkg get https://github.com/GoogleContainerTools/kpt-functions-catalog.git/examples/validators/gatekeeper-validate/warnning-only . | ||
| ``` | ||
|
|
||
| Create a directory for storing the structured output. | ||
|
|
||
| ```shell | ||
| $ cd warnning-only | ||
| $ mkdir results | ||
| ``` | ||
|
|
||
| Run the function: | ||
|
|
||
| ```shell | ||
| $ kpt fn run --results-dir=results . | ||
| ``` | ||
|
|
||
| ## Expected result | ||
|
|
||
| You won't any failure. But if you look at the structured output, you can find a | ||
| warning about the constraint violation. | ||
|
|
||
| ```shell | ||
| $ cat results/results-0.yaml | ||
| items: | ||
| - message: |- | ||
| The following banned keys are being used in the config map: {"private_key"} | ||
| violatedConstraint: no-secrets-in-configmap | ||
| severity: warning | ||
| resourceRef: | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: super-secret | ||
| namespace: default | ||
| file: | ||
| path: resources.yaml | ||
| index: 2 | ||
| ``` | ||
|
|
||
| You can find: | ||
| - a detailed error message | ||
| - what resource violates the constraints | ||
| - what constraint does it violate | ||
| - where does the resource live and its index in the file | ||
|
|
||
| To pass validation, let's replace the key `private_key` in the ConfigMap in | ||
| `resources.yaml` with something else e.g. `public_key`. | ||
| Rerun the command. It will no longer have the warning. | ||
|
|
||
| ## Function Reference | ||
|
|
||
| TODO: add the link |
9 changes: 9 additions & 0 deletions
9
examples/validators/gatekeeper-validate/warning-only/fn-config.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: my-func-config | ||
| annotations: | ||
| config.k8s.io/function: | | ||
| container: | ||
| image: gcr.io/kpt-fn/gatekeeper-validate:unstable | ||
| config.kubernetes.io/local-config: 'true' |
52 changes: 52 additions & 0 deletions
52
examples/validators/gatekeeper-validate/warning-only/resources.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| apiVersion: templates.gatekeeper.sh/v1beta1 | ||
| kind: ConstraintTemplate | ||
| metadata: | ||
| name: k8sbannedconfigmapkeysv1 | ||
| spec: | ||
| crd: | ||
| spec: | ||
| names: | ||
| kind: K8sBannedConfigMapKeysV1 | ||
| validation: | ||
| openAPIV3Schema: | ||
| properties: | ||
| keys: | ||
| type: array | ||
| items: | ||
| type: string | ||
| targets: | ||
| - rego: |- | ||
| package ban_keys | ||
| violation[{"msg": sprintf("%v", [val])}] { | ||
| keys = {key | input.review.object.data[key]} | ||
| banned = {key | input.parameters.keys[_] = key} | ||
| overlap = keys & banned | ||
| count(overlap) > 0 | ||
| val := sprintf("The following banned keys are being used in the config map: %v", [overlap]) | ||
| } | ||
| target: admission.k8s.gatekeeper.sh | ||
| --- | ||
| apiVersion: constraints.gatekeeper.sh/v1beta1 | ||
| kind: K8sBannedConfigMapKeysV1 | ||
| metadata: | ||
| name: no-secrets-in-configmap | ||
| spec: | ||
| enforcementAction: warn | ||
| match: | ||
| kinds: | ||
| - apiGroups: | ||
| - '' | ||
| kinds: | ||
| - ConfigMap | ||
| parameters: | ||
| keys: | ||
| - private_key | ||
| --- | ||
| apiVersion: v1 | ||
| kind: ConfigMap | ||
| metadata: | ||
| name: super-secret | ||
| namespace: default | ||
| data: | ||
| private_key: sensitive data goes here |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.