GoogleContainerTools · mengqiy · Apr 6, 2021 · Dec 16, 2019 · Feb 6, 2020 · Apr 8, 2020
diff --git a/examples/validators/gatekeeper-validate/invalid-configmap/README.md b/examples/validators/gatekeeper-validate/invalid-configmap/README.md
@@ -6,7 +6,7 @@ This example demonstrates how to validate config maps using a constraint.
 
 There are 3 resources: a ConstraintTemplate, a K8sBannedConfigMapKeysV1 and a
 ConfigMap.
-The constraint disallows `private_key` to be used as a key in the config map.
+The constraint disallows using `private_key` as a key in the ConfigMap.
 
 ## Function invocation
 

diff --git a/examples/validators/gatekeeper-validate/invalid-configmap/resources.yaml b/examples/validators/gatekeeper-validate/invalid-configmap/resources.yaml
@@ -32,6 +32,7 @@ kind: K8sBannedConfigMapKeysV1
 metadata:
   name: no-secrets-in-configmap
 spec:
+  enforcementAction: deny
   match:
     kinds:
       - apiGroups:

diff --git a/examples/validators/gatekeeper-validate/warning-only/.expected/config.yaml b/examples/validators/gatekeeper-validate/warning-only/.expected/config.yaml
@@ -0,0 +1 @@
+runCount: 2
diff --git a/examples/validators/gatekeeper-validate/warning-only/.expected/results.yaml b/examples/validators/gatekeeper-validate/warning-only/.expected/results.yaml
@@ -0,0 +1,14 @@
+items:
+- message: |-
+    The following banned keys are being used in the config map: {"private_key"}
+    violatedConstraint: no-secrets-in-configmap
+  severity: warning
+  resourceRef:
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: super-secret
+      namespace: default
+  file:
+    path: resources.yaml
+    index: 2
diff --git a/examples/validators/gatekeeper-validate/warning-only/.krmignore b/examples/validators/gatekeeper-validate/warning-only/.krmignore
@@ -0,0 +1 @@
+.expected
diff --git a/examples/validators/gatekeeper-validate/warning-only/README.md b/examples/validators/gatekeeper-validate/warning-only/README.md
@@ -0,0 +1,67 @@
+# gatekeeper-validate: warning only
+
+## Overview
+
+This example is very similar to the invalid configmap example. The major
+difference is that the violations are warnings instead of errors.
+
+In the constraint, we use `enforcementAction: warn` instead of
+`enforcementAction: deny`.
+
+## Function invocation
+
+Get the package:
+
+```shell
+$ kpt pkg get https://github.com/GoogleContainerTools/kpt-functions-catalog.git/examples/validators/gatekeeper-validate/warnning-only .
+```
+
+Create a directory for storing the structured output.
+
+```shell
+$ cd warnning-only
+$ mkdir results
+```
+
+Run the function:
+
+```shell
+$ kpt fn run --results-dir=results .
+```
+
+## Expected result
+
+You won't any failure. But if you look at the structured output, you can find a
+warning about the constraint violation.
+
+```shell
+$ cat results/results-0.yaml 
+items:
+- message: |-
+    The following banned keys are being used in the config map: {"private_key"}
+    violatedConstraint: no-secrets-in-configmap
+  severity: warning
+  resourceRef:
+    apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: super-secret
+      namespace: default
+  file:
+    path: resources.yaml
+    index: 2
+```
+
+You can find:
+- a detailed error message
+- what resource violates the constraints
+- what constraint does it violate
+- where does the resource live and its index in the file
+
+To pass validation, let's replace the key `private_key` in the ConfigMap in
+`resources.yaml` with something else e.g. `public_key`.
+Rerun the command. It will no longer have the warning.
+
+## Function Reference
+
+TODO: add the link
diff --git a/examples/validators/gatekeeper-validate/warning-only/fn-config.yaml b/examples/validators/gatekeeper-validate/warning-only/fn-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-func-config
+  annotations:
+    config.k8s.io/function: |
+      container:
+        image: gcr.io/kpt-fn/gatekeeper-validate:unstable
+    config.kubernetes.io/local-config: 'true'
diff --git a/examples/validators/gatekeeper-validate/warning-only/resources.yaml b/examples/validators/gatekeeper-validate/warning-only/resources.yaml
@@ -0,0 +1,52 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sbannedconfigmapkeysv1
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBannedConfigMapKeysV1
+        validation:
+          openAPIV3Schema:
+            properties:
+              keys:
+                type: array
+                items:
+                  type: string
+  targets:
+  - rego: |-
+      package ban_keys
+
+      violation[{"msg": sprintf("%v", [val])}] {
+        keys = {key | input.review.object.data[key]}
+        banned = {key | input.parameters.keys[_] = key}
+        overlap = keys & banned
+        count(overlap) > 0
+        val := sprintf("The following banned keys are being used in the config map: %v", [overlap])
+      }
+    target: admission.k8s.gatekeeper.sh
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sBannedConfigMapKeysV1
+metadata:
+  name: no-secrets-in-configmap
+spec:
+  enforcementAction: warn
+  match:
+    kinds:
+    - apiGroups:
+      - ''
+      kinds:
+      - ConfigMap
+  parameters:
+    keys:
+    - private_key
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: super-secret
+  namespace: default
+data:
+  private_key: sensitive data goes here
diff --git a/functions/go/gatekeeper-validate/README.md b/functions/go/gatekeeper-validate/README.md
@@ -15,7 +15,7 @@ Validate the KRM resources using the policy controller.
 You can use the policy controller to validate KRM resources. To learn more about
 the policy controller, see: https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller.
 
-The function ensures the constraint policies are enforced on KRM resources.
+The function evaluates constraint policies against KRM resources.
 The function takes 3 types of resources from the input resource list:
 
 - constraint templates
@@ -34,8 +34,10 @@ https://cloud.google.com/anthos-config-management/docs/how-to/creating-constrain
 
 ### Examples
 
+<!-- TODO: update the following link to web page -->
+
 <!--mdtogo:Examples-->
 
-TODO: link to the examples
+https://github.com/GoogleContainerTools/kpt-functions-catalog/tree/master/examples/validators/gatekeeper-validate/
 
 <!--mdtogo-->
diff --git a/functions/go/gatekeeper-validate/go.mod b/functions/go/gatekeeper-validate/go.mod
@@ -3,9 +3,9 @@ module github.com/GoogleContainerTools/kpt-functions-catalog/functions/go/gateke
 go 1.15
 
 require (
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20210317225149-4f80ac172ddf
-	github.com/open-policy-agent/gatekeeper v3.0.4-beta.2+incompatible
-	k8s.io/apimachinery v0.17.2
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20201020161305-2e11d4556af8
+	github.com/open-policy-agent/gatekeeper v0.0.0-20210128025445-201a78d6096e // This is v3.3.0. It has a semver major version of 2 or higher and is not a Go module yet.
+	k8s.io/apimachinery v0.18.6
 	sigs.k8s.io/kustomize/kyaml v0.10.13
 	sigs.k8s.io/yaml v1.2.0
 )