feat: Upgrade constraint framework to add new K8s Native Validation d…

…river schema (#2951) Signed-off-by: Max Smythe <smythe@google.com>
open-policy-agent · Aug 16, 2023 · 66d84f3 · 66d84f3
1 parent 5b652ec
commit 66d84f3
Show file tree

Hide file tree

Showing 10 changed files with 555 additions and 91 deletions.
diff --git a/demo/k8s-validating-admission-policy/README.md b/demo/k8s-validating-admission-policy/README.md
@@ -3,4 +3,8 @@ This is a demo of a prototype-stage feature and is subject to change.
 The demo will not work unless the --experimental-enable-k8s-native-validation is
 set.
 
+Note that the contents of the constraint template have changed since cutting
+Gatekeeper's v3.13.0 release. To try this with the development build of
+Gatekeeper, use a [dev image](https://open-policy-agent.github.io/gatekeeper/website/docs/install/#deploying-a-release-using-development-image).
+
 <img width= "900" height="500" src="demo.gif" alt="cel demo">
diff --git a/demo/k8s-validating-admission-policy/k8srequiredlabels_template.yaml b/demo/k8s-validating-admission-policy/k8srequiredlabels_template.yaml
@@ -28,14 +28,8 @@ spec:
       code:
         - engine: K8sNativeValidation
           source:
-           apiVersion: admissionregistration.k8s.io/v1alpha1
-           kind: ValidatingAdmissionPolicy
-           spec:
-             paramKind:
-               apiVersion: "foobar/v1"
-               kind: "Placeholder"
-             validations:
-             - expression: "params.spec.parameters.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels)"
-               messageExpression: '"missing required label, requires all of: " + params.spec.parameters.labels.map(entry, entry.key).join(", ")'
-             - expression: "!params.spec.parameters.labels.exists(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && !string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex)))"
-               message: "regex mismatch"
+            validations:
+            - expression: "variables.params.labels.all(entry, has(object.metadata.labels) && entry.key in object.metadata.labels)"
+              messageExpression: '"missing required label, requires all of: " + variables.params.labels.map(entry, entry.key).join(", ")'
+            - expression: "!variables.params.labels.exists(entry, has(object.metadata.labels) && entry.key in object.metadata.labels && !string(object.metadata.labels[entry.key]).matches(string(entry.allowedRegex)))"
+              message: "regex mismatch"
diff --git a/go.mod b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/onsi/gomega v1.27.7
 	github.com/open-policy-agent/cert-controller v0.8.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230804003541-02006142f081
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
 	github.com/spf13/cobra v1.7.0

diff --git a/go.sum b/go.sum
@@ -964,8 +964,8 @@ github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/onsi/gomega v1.27.7/go.mod h1:1p8OOlwo2iUUDsHnOrjE5UKYJ+e3W8eQ3qSlRahPmr4=
 github.com/open-policy-agent/cert-controller v0.8.0 h1:pao3WCLsKGz5dSWSlNUFrNFQdXtVTQ3lVDgk2IelH34=
 github.com/open-policy-agent/cert-controller v0.8.0/go.mod h1:alotCQRwX4M6VEwEgO53FB6nGLSlvah6L0pWxSRslIk=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230804003541-02006142f081 h1:FiiDlhLZsP0H4gRIoUjkz+vxZZ0kvoIJHrvtaETIMaE=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20230804003541-02006142f081/go.mod h1:54/KzLMvA5ndBVpm7B1OjLeV0cUtTLTz2bZ2OtydLpU=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae h1:NdSZfqm8lAJG4o8iiQltzsU8Ime2KzfvWY/HtLOddc4=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20230812003220-e24af74adbae/go.mod h1:54/KzLMvA5ndBVpm7B1OjLeV0cUtTLTz2bZ2OtydLpU=
 github.com/open-policy-agent/opa v0.54.0 h1:mGEsK+R5ZTMV8fzzbNzmYDGbTmY30wmRCIHmtm2VqWs=
 github.com/open-policy-agent/opa v0.54.0/go.mod h1:d8I8jWygKGi4+T4H07qrbeCdH1ITLsEfT0M+bsvxWw0=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=

diff --git a/...or/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/driver.go b/...or/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/driver.go
diff --git a/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/new.go b/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/new.go