Comments

Makefile

@@ -341,7 +341,7 @@ generate: __conversion-gen __controller-gen
 	$(CONTROLLER_GEN) object:headerFile=./hack/boilerplate.go.txt paths="./apis/..." paths="./pkg/..."
 	$(CONVERSION_GEN) \
 		--output-base=/gatekeeper \
-		--input-dirs=./apis/mutations/v1,./apis/mutations/v1beta1,./apis/mutations/v1alpha1,./apis/expansion/v1alpha1,./apis/syncset/v1alpha1 \
+		--input-dirs=./apis/mutations/v1,./apis/mutations/v1beta1,./apis/mutations/v1alpha1,./apis/expansion/v1alpha1,./apis/syncset/v1alpha1,./apis/gvkmanifest/v1alpha1 \
 		--go-header-file=./hack/boilerplate.go.txt \
 		--output-file-base=zz_generated.conversion
 

apis/addtoscheme_gvkmanifest.go

@@ -0,0 +1,10 @@
+package apis
+
+import (
+	"github.com/open-policy-agent/gatekeeper/v3/apis/gvkmanifest/v1alpha1"
+)
+
+func init() {
+	// Register the types with the Scheme so the components can map objects to GroupVersionKinds and back
+	AddToSchemes = append(AddToSchemes, v1alpha1.AddToScheme)
+}

apis/gvkmanifest/v1alpha1/groupversion_info.go

@@ -0,0 +1,20 @@
+// Package v1alpha1 contains API Schema definitions for the GVKManifest v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=gvkmanifest.gatekeeper.sh
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "gvkmanifest.gatekeeper.sh", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

apis/gvkmanifest/v1alpha1/gvkmanifest_types.go

@@ -0,0 +1,43 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type GVKManifestSpec struct {
+	Groups []Group `json:"groups,omitempty"`
+}
+
+type Group struct {
+	Name     string    `json:"name,omitempty"`
+	Versions []Version `json:"versions,omitempty"`
+}
+
+type Version struct {
+	Name  string   `json:"name,omitempty"`
+	Kinds []string `json:"kinds,omitempty"`
+}
+
+// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:object:root=true
+
+// GVKManifest is the Schema for the GVKManifest API.
+type GVKManifest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec GVKManifestSpec `json:"spec,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// GVKManifestList contains a list of GVKManifests.
+type GVKManifestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []GVKManifest `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&GVKManifest{}, &GVKManifestList{})
+}

cmd/gator/sync/sync.go

@@ -3,19 +3,19 @@ package sync
 import (
 	"fmt"
 
-	syncverify "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync/verify"
+	synctest "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/sync/test"
 	"github.com/spf13/cobra"
 )
 
 var commands = []*cobra.Command{
-	syncverify.Cmd,
+	synctest.Cmd,
 }
 
 var Cmd = &cobra.Command{
 	Use:   "sync",
 	Short: "Manage SyncSets and Config",
 	Run: func(cmd *cobra.Command, args []string) {
-		fmt.Println("Usage: gator sync verify")
+		fmt.Println("Usage: gator sync test")
 	},
 }
 

cmd/gator/sync/verify/verify.go → cmd/gator/sync/test/test.go

@@ -1,4 +1,4 @@
-package verify
+package test
 
 import (
 	"fmt"
@@ -7,32 +7,33 @@ import (
 
 	cmdutils "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/util"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
-	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/sync/verify"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/sync/test"
 	"github.com/spf13/cobra"
 )
 
 var Cmd = &cobra.Command{
-	Use:   "verify",
-	Short: "Verify that the provided SyncSet(s) and/or Config contain the GVKs required by the input templates.",
+	Use:   "test",
+	Short: "Test that the provided SyncSet(s) and/or Config contain the GVKs required by the input templates.",
 	Run:   run,
 }
 
 var (
-	flagFilenames     []string
-	flagImages        []string
-	flagSupportedGVKs verify.SupportedGVKs
+	flagFilenames       []string
+	flagImages          []string
+	flagOmitGVKManifest bool
 )
 
 const (
-	flagNameFilename      = "filename"
-	flagNameImage         = "image"
-	flagNameSupportedGVKs = "supported-gvks"
+	flagNameFilename = "filename"
+	flagNameImage    = "image"
+	flagNameForce    = "omit-gvk-manifest"
 )
 
 func init() {
 	Cmd.Flags().StringArrayVarP(&flagFilenames, flagNameFilename, "f", []string{}, "a file or directory containing Kubernetes resources.  Can be specified multiple times.")
 	Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
-	Cmd.Flags().VarP(&flagSupportedGVKs, flagNameSupportedGVKs, "s", "a json string listing the GVKs supported by the cluster as a nested array of groups, containing supported versions, each of which contains supported kinds. See https://open-policy-agent.github.io/gatekeeper/website/docs/gator#the-gator-sync-verify-subcommand for an example.")
+	Cmd.Flags().BoolVarP(&flagOmitGVKManifest, flagNameForce, "o", false, "Do not require a GVK manifest; if one is not provided, assume all GVKs listed in the requirements "+
+		"and configs are supported by the cluster under test. If this assumption isn't true, templates may not be enforced correctly even after passing this test.")
 }
 
 func run(cmd *cobra.Command, args []string) {
@@ -44,9 +45,9 @@ func run(cmd *cobra.Command, args []string) {
 		cmdutils.ErrFatalf("no input data identified")
 	}
 
-	missingRequirements, templateErrors, err := verify.Verify(unstrucs, flagSupportedGVKs)
+	missingRequirements, templateErrors, err := test.Test(unstrucs, flagOmitGVKManifest)
 	if err != nil {
-		cmdutils.ErrFatalf("verifying: %v", err)
+		cmdutils.ErrFatalf("checking: %v", err)
 	}
 
 	if len(missingRequirements) > 0 {
@@ -57,7 +58,6 @@ func run(cmd *cobra.Command, args []string) {
 		cmdutils.ErrFatalf("encountered errors parsing the following templates: \n%v", resultsToString(templateErrors))
 	}
 
-	fmt.Println("all template requirements met")
 	os.Exit(0)
 }
 

pkg/gator/errors.go

@@ -15,12 +15,17 @@ var (
 	// ErrNotASyncSet indicates the user-indicated file does not contain a
 	// SyncSet.
 	ErrNotASyncSet = errors.New("not a SyncSet")
+	// ErrNotASyncSet indicates the user-indicated file does not contain a
+	// SyncSet.
+	ErrNotAGVKManifest = errors.New("not a GVKManifest")
 	// ErrAddingTemplate indicates a problem instantiating a Suite's ConstraintTemplate.
 	ErrAddingTemplate = errors.New("adding template")
 	// ErrAddingConstraint indicates a problem instantiating a Suite's Constraint.
 	ErrAddingConstraint = errors.New("adding constraint")
 	// ErrAddingSyncSet indicates a problem instantiating a Suite's SyncSet.
 	ErrAddingSyncSet = errors.New("adding syncset")
+	// ErrAddingGVKManifest indicates a problem instantiating a Suite's GVKManifest.
+	ErrAddingGVKManifest = errors.New("adding gvkmanifest")
 	// ErrAddingConfig indicates a problem instantiating a Suite's Config.
 	ErrAddingConfig = errors.New("adding config")
 	// ErrInvalidSuite indicates a Suite does not define the required fields.

pkg/gator/fixtures/fixtures.go

@@ -661,7 +661,6 @@ apiVersion: syncset.gatekeeper.sh/v1alpha1
 kind: SyncSet
 metadata:
   name: syncset
-  namespace: "gatekeeper-system"
 spec:
   gvks:
     - group: "networking.k8s.io"
@@ -676,7 +675,6 @@ apiVersion: config.gatekeeper.sh/v1alpha1
 kind: Config
 metadata:
   name: config
-  namespace: "gatekeeper-system"
 spec:
   sync:
     syncOnly:
@@ -686,5 +684,17 @@ spec:
       - group: "apps"
         version: "v1"
         kind: "Deployment"
+`
+	GVKManifest = `
+apiVersion: gvkmanifest.gatekeeper.sh/v1alpha1
+kind: GVKManifest
+metadata:
+  name: gvkmanifest
+spec:
+  groups:
+  - name: ""
+    versions:
+    - name: "v1"
+      kinds: ["Service"]
 `
 )