Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: check for CT generateVap intent before generating vapbinding #3479

Merged
merged 15 commits into from
Aug 9, 2024
Merged

chore: check for CT generateVap intent before generating vapbinding #3479

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
adef05d
checking for possibility of VAP existing in cluster before generating…
JaydipGabani Aug 8, 2024
62ac785
fixing unit tests
JaydipGabani Aug 8, 2024
d4148f5
fixing tests
JaydipGabani Aug 8, 2024
6868702
adding rego in test
JaydipGabani Aug 8, 2024
b0f26cb
adding rego engine in tests
JaydipGabani Aug 8, 2024
70478ee
adding test for rego only engine
JaydipGabani Aug 8, 2024
af0988f
updating warning when template will not generate VAP
JaydipGabani Aug 8, 2024
34eb883
updating logs and test names
JaydipGabani Aug 8, 2024
ebb02b5
updating logs and test names
JaydipGabani Aug 8, 2024
2327de8
fixing test name
JaydipGabani Aug 8, 2024
589312a
fixing test name
JaydipGabani Aug 8, 2024
59cebbf
adding warning in CT when VAP API is not available
JaydipGabani Aug 9, 2024
a1ab00b
adding warning for CT when VAP API is not enabled and generation is on
JaydipGabani Aug 9, 2024
24dd83d
logging errors and reporting the same on CT and C, when generation in…
JaydipGabani Aug 9, 2024
d064c85
Merge branch 'master' into generatevap-check
sozercan Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 21 additions & 15 deletions pkg/controller/constraint/constraint_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,16 @@ import (
)

var (
log = logf.Log.V(logging.DebugLevel).WithName("controller").WithValues(logging.Process, "constraint_controller")
discoveryErr *apiutil.ErrResourceDiscoveryFailed
DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", false, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.")
DefaultGenerateVAP = flag.Bool("default-create-vap-for-templates", false, "Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly.")
log = logf.Log.V(logging.DebugLevel).WithName("controller").WithValues(logging.Process, "constraint_controller")
discoveryErr *apiutil.ErrResourceDiscoveryFailed
DefaultGenerateVAPB = flag.Bool("default-create-vap-binding-for-constraints", false, "Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.")
DefaultGenerateVAP = flag.Bool("default-create-vap-for-templates", false, "Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly.")
)

var (
ErrValidatingAdmissionPolicyAPIDisabled = errors.New("ValidatingAdmissionPolicy API is not enabled")
ErrVAPConditionsNotSatisfied = errors.New("Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
)
var vapMux sync.RWMutex

var VapAPIEnabled *bool
Expand Down Expand Up @@ -306,13 +310,14 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
if err2 := r.writer.Update(ctx, status); err2 != nil {
log.Error(err2, "could not report error for validation of enforcement action")
}
return reconcile.Result{}, err
}
generateVAPB, VAPEnforcementActions, err := shouldGenerateVAPB(*DefaultGenerateVAPB, enforcementAction, instance)
if err != nil {
log.Error(err, "could not determine if VAPBinding should be generated")
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: err.Error()})
log.Error(err, "could not get enforcement actions for VAP")
if err2 := r.writer.Update(ctx, status); err2 != nil {
log.Error(err2, "could not report error for getting enforcement actions for VAP")
log.Error(err2, "could not report error when determining if VAPBinding should be generated")
}
return reconcile.Result{}, err
}
Expand All @@ -323,12 +328,12 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
}
if generateVAPB {
if !isAPIEnabled {
r.log.V(1).Info("Warning: ValidatingAdmissionPolicy API is not enabled, cannot create ValidatingAdmissionPolicyBinding")
generateVAPB = false
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: "Warning: ValidatingAdmissionPolicy API is not enabled, cannot create ValidatingAdmissionPolicyBinding"})
log.Error(ErrValidatingAdmissionPolicyAPIDisabled, "Cannot generate ValidatingAdmissionPolicyBinding", "constraint", instance.GetName())
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: fmt.Sprintf("%s, cannot generate ValidatingAdmissionPolicyBinding", ErrValidatingAdmissionPolicyAPIDisabled.Error())})
if err2 := r.writer.Update(ctx, status); err2 != nil {
log.Error(err2, "could not update constraint status error when VAP API is not enabled")
log.Error(err2, "could not update constraint status error when ValidatingAdmissionPolicy API is not enabled")
}
generateVAPB = false
} else {
unversionedCT := &templates.ConstraintTemplate{}
if err := r.scheme.Convert(ct, unversionedCT, nil); err != nil {
Expand All @@ -340,19 +345,20 @@ func (r *ReconcileConstraint) Reconcile(ctx context.Context, request reconcile.R
}
hasVAP, err := ShouldGenerateVAP(unversionedCT)
if err != nil {
log.Error(err, "could not determine if ConstraintTemplate is configured to generate ValidatingAdmissionPolicy", "constraint", instance.GetName(), "constraint_template", ct.GetName())
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: err.Error()})
if err2 := r.writer.Update(ctx, status); err2 != nil {
log.Error(err2, "could not update constraint status error when determining if CT should generate VAP")
log.Error(err2, "could not update constraint status error when determining if ConstraintTemplate is configured to generate ValidatingAdmissionPolicy")
}
generateVAPB = false
}
if !hasVAP {
r.log.V(1).Info("Warning: Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
generateVAPB = false
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: "Warning: Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding"})
log.Error(ErrVAPConditionsNotSatisfied, "Cannot generate ValidatingAdmissionPolicyBinding", "constraint", instance.GetName(), "constraint_template", ct.GetName())
status.Status.Errors = append(status.Status.Errors, constraintstatusv1beta1.Error{Message: fmt.Sprintf("%s, cannot generate ValidatingAdmissionPolicyBinding", ErrVAPConditionsNotSatisfied.Error())})
if err2 := r.writer.Update(ctx, status); err2 != nil {
log.Error(err2, "could not update constraint status error when conditions are not satisfied to generate VAP")
log.Error(err2, "could not update constraint status error when conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding")
}
generateVAPB = false
}
}
}
Expand Down
36 changes: 9 additions & 27 deletions pkg/controller/constrainttemplate/constrainttemplate_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -476,28 +476,24 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
logger.Error(err, "error adding template to watch registry")
return reconcile.Result{}, err
}
isVAPapiEnabled := false
isVapAPIEnabled := false
var groupVersion *schema.GroupVersion
if generateVap {
isVAPapiEnabled, groupVersion = constraint.IsVapAPIEnabled()
isVapAPIEnabled, groupVersion = constraint.IsVapAPIEnabled()
}
logger.Info("isVAPapiEnabled", "isVAPapiEnabled", isVAPapiEnabled)
logger.Info("isVapAPIEnabled", "isVapAPIEnabled", isVapAPIEnabled)
logger.Info("groupVersion", "groupVersion", groupVersion)
if generateVap && (!isVAPapiEnabled || groupVersion == nil) {
logger.V(1).Info("Warning: ValidatingAdmissionPolicy API is not enabled, ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", "name", ct.GetName())
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: "ValidatingAdmissionPolicy API is not enabled, ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate"}
status.Status.Errors = append(status.Status.Errors, createErr)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Warning: ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", status, errors.New("ValidatingAdmissionPolicy API is not enabled"))
if generateVap && (!isVapAPIEnabled || groupVersion == nil) {
logger.Error(constraint.ErrValidatingAdmissionPolicyAPIDisabled, "ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", "name", ct.GetName())
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "ValidatingAdmissionPolicy resource cannot be generated for ConstraintTemplate", status, constraint.ErrValidatingAdmissionPolicyAPIDisabled)
return reconcile.Result{}, err
Copy link
Member

@ritazh ritazh Aug 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should be consistent everywhere in terms of logs and status reporting for these. if api is not enabled and other conditions for generateVap are not met, should they be considered errors or warnings? constraint and CT status reporting currently only has errors. @maxsmythe @sozercan thoughts? depending on this decision, please make all logs and status reporting consistent

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's an error -- the user has signaled intent to trigger the generation pipeline but the pipeline is not generating.

If users don't care about the generation pipeline, they can interpret the severity of the error however they'd like.

If users would like to remove the error, they can change the expressed intent.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm. then lets log error and report error as part of CT and Constraint status.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm, I am updating the PR.

}
// generating vap resources
if generateVap && isVAPapiEnabled && groupVersion != nil {
if generateVap && isVapAPIEnabled && groupVersion != nil {
currentVap, err := vapForVersion(groupVersion)
if err != nil {
logger.Error(err, "error getting vap object with respective groupVersion")
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, createErr)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when you omit this, you are overriding existing status errors. please restore.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are not preserving statues errors here anyways - https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/controller/constrainttemplate/constrainttemplate_controller.go#L404, this code I am removing isn't doing anything.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is the code that we have wihtout appending to Status.Errors - https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/controller/constrainttemplate/constrainttemplate_controller.go#L471 - before calling reportErrorOnCTStatus.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. ok then this has no impact on existing behavior.

err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with runtime group version", status, err)
return reconcile.Result{}, err
}
vapName := fmt.Sprintf("gatekeeper-%s", unversionedCT.GetName())
Expand All @@ -512,17 +508,13 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
transformedVap, err := transform.TemplateToPolicyDefinition(unversionedCT)
if err != nil {
logger.Error(err, "transform to vap error", "vapName", vapName)
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, createErr)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not transform to vap object", status, err)
return reconcile.Result{}, err
}

newVap, err := getRunTimeVAP(groupVersion, transformedVap, currentVap)
if err != nil {
logger.Error(err, "getRunTimeVAP error", "vapName", vapName)
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, createErr)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get runtime vap object", status, err)
return reconcile.Result{}, err
}
Expand All @@ -535,8 +527,6 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
logger.Info("creating vap", "vapName", vapName)
if err := r.Create(ctx, newVap); err != nil {
logger.Info("creating vap error", "vapName", vapName, "error", err)
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, createErr)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not create vap object", status, err)
return reconcile.Result{}, err
}
Expand All @@ -547,21 +537,17 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
} else if !reflect.DeepEqual(currentVap, newVap) {
logger.Info("updating vap")
if err := r.Update(ctx, newVap); err != nil {
updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, updateErr)
err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not update vap object", status, err)
return reconcile.Result{}, err
}
}
}
// do not generate vap resources
// remove if exists
if !generateVap && isVAPapiEnabled && groupVersion != nil {
if !generateVap && isVapAPIEnabled && groupVersion != nil {
currentVap, err := vapForVersion(groupVersion)
if err != nil {
logger.Error(err, "error getting vap object with respective groupVersion")
createErr := &v1beta1.CreateCRDError{Code: ErrCreateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, createErr)
err := r.reportErrorOnCTStatus(ctx, ErrCreateCode, "Could not get VAP with correct group version", status, err)
return reconcile.Result{}, err
}
Expand All @@ -576,8 +562,6 @@ func (r *ReconcileConstraintTemplate) handleUpdate(
if currentVap != nil {
logger.Info("deleting vap")
if err := r.Delete(ctx, currentVap); err != nil {
updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, updateErr)
err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not delete vap object", status, err)
return reconcile.Result{}, err
}
Expand Down Expand Up @@ -714,8 +698,6 @@ func (r *ReconcileConstraintTemplate) triggerConstraintEvents(ctx context.Contex
cstrObjs, err := r.listObjects(ctx, gvk)
if err != nil {
logger.Error(err, "get all constraints listObjects")
updateErr := &v1beta1.CreateCRDError{Code: ErrUpdateCode, Message: err.Error()}
status.Status.Errors = append(status.Status.Errors, updateErr)
err := r.reportErrorOnCTStatus(ctx, ErrUpdateCode, "Could not list all constraint objects", status, err)
return err
}
Expand Down
Loading