feat: add gatekeeper feature flags to change enforcementAction and to…

… enable or disable default policies
sighupio · Jan 17, 2024 · 93efc39 · 93efc39
1 parent f9347d0
commit 93efc39
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 2 deletions.
diff --git a/defaults/onpremises-kfd-v1alpha2.yaml b/defaults/onpremises-kfd-v1alpha2.yaml
@@ -202,7 +202,7 @@ data:
       gatekeeper:
         # this configuration adds namespaces to the excluded list, actually whitelisting them
         additionalExcludedNamespaces: []
-        enforcementActions: deny
+        enforcementAction: deny
         installDefaultPolicies: true
       kyverno:
         # this configuration adds namespaces to the excluded list, actually whitelisting them

diff --git a/kfd.yaml b/kfd.yaml
@@ -2,7 +2,7 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-version: v1.27.1
+version: v1.27.2
 modules:
   auth: v0.1.0
   aws: v4.1.0

diff --git a/schemas/public/onpremises-kfd-v1alpha2.json b/schemas/public/onpremises-kfd-v1alpha2.json
@@ -1269,6 +1269,13 @@
             "type": "string"
           }
         },
+        "enforcementAction": {
+          "type": "string",
+          "enum": ["deny", "dryrun", "warn"]
+        },
+        "installDefaultPolicies": {
+          "type": "boolean"
+        },
         "overrides": {
           "$ref": "#/$defs/Types.FuryModuleComponentOverrides"
         }

diff --git a/templates/distribution/manifests/opa/kustomization.yaml.tpl b/templates/distribution/manifests/opa/kustomization.yaml.tpl
@@ -10,7 +10,9 @@ resources:
 {{- if eq .spec.distribution.modules.policy.type "gatekeeper" }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/gatekeeper/core" }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/gatekeeper/gpm" }}
+{{- if .spec.distribution.modules.policy.gatekeeper.installDefaultPolicies }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/gatekeeper/rules" }}
+{{- end }}
   - {{ print "../" .spec.distribution.common.relativeVendorPath "/modules/opa/katalog/gatekeeper/monitoring" }}
 {{- if ne .spec.distribution.modules.ingress.nginx.type "none" }}
   - resources/ingress-infra.yml
@@ -40,6 +42,40 @@ patches:
       kind: ClusterPolicy
 {{- end }}
 
+{{- if .spec.distribution.modules.policy.gatekeeper.installDefaultPolicies }}
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/enforcementAction
+        value: {{ .spec.distribution.modules.policy.gatekeeper.enforcementAction }}
+    target:
+      kind: K8sLivenessProbe
+  - patch: |-
+      - op: replace
+        path: /spec/enforcementAction
+        value: {{ .spec.distribution.modules.policy.gatekeeper.enforcementAction }}
+    target:
+      kind: K8sReadinessProbe
+  - patch: |-
+      - op: replace
+        path: /spec/enforcementAction
+        value: {{ .spec.distribution.modules.policy.gatekeeper.enforcementAction }}
+    target:
+      kind: SecurityControls
+  - patch: |-
+      - op: replace
+        path: /spec/enforcementAction
+        value: {{ .spec.distribution.modules.policy.gatekeeper.enforcementAction }}
+    target:
+      kind: K8sUniqueIngressHost
+  - patch: |-
+      - op: replace
+        path: /spec/enforcementAction
+        value: {{ .spec.distribution.modules.policy.gatekeeper.enforcementAction }}
+    target:
+      kind: K8sUniqueServiceSelector
+{{- end }}
+
 {{ if .spec.distribution.modules.policy.gatekeeper.additionalExcludedNamespaces }}
 patchesJson6902:
   - target: