Add new field gatekeeperEnforcementAction to override enforcementAction #167
Conversation
yiraeChristineKim
force-pushed
the
ACM-11076
branch
from
789719a to
2f82d58
Compare
yiraeChristineKim
requested review from
dhaiducek and
mprahl
and removed request for
mprahl
yiraeChristineKim
force-pushed
the
ACM-11076
branch
from
2f82d58 to
974f3ac
Compare
docs/policygenerator-reference.yaml
Outdated
| # Optional. gatekeeperEnforcementAction("deny" | "warn" | "dryrun") will override gatekeeper.constraint.spec.enforcementAction | ||
| # This only applies to gatekeeper constraint | ||
| # The default is "deny" |
There was a problem hiding this comment.
| # Optional. gatekeeperEnforcementAction("deny" | "warn" | "dryrun") will override gatekeeper.constraint.spec.enforcementAction | |
| # This only applies to gatekeeper constraint | |
| # The default is "deny" | |
| # Optional. Overrides the spec.enforcementAction field of a Gatekeeper constraint. This only applies to Gatekeeper constraints and is ignored by other manifests. If not set, the spec.enforcementAction field is not changed. |
internal/utils.go
Outdated
|
|
||
| policyTemplateUnstructured.SetAnnotations(annotations) | ||
|
|
||
| err := setGatekeeperEnforcementAction(policyTemplate, |
There was a problem hiding this comment.
It might be cleaner to directly work with the manifest rather than after it is a policy template. You could do this right at the start of the for _, manifest := range manifestGroup { loop.
internal/plugin_test.go
Outdated
| Name: "policy-gatekeeper", | ||
| Manifests: []types.Manifest{ | ||
| { | ||
| Path: path.Join(tmpDir, "gatekeeper.yaml"), |
There was a problem hiding this comment.
Could you reuse gatekeeperPath here and also in other places?
internal/plugin_test.go
Outdated
| policyDefaultEA: "", | ||
| expectedEA: ` | ||
| spec: | ||
| enforcementAction: deny |
There was a problem hiding this comment.
It'd be cleaner if you just provided deny here and the test code can do the work of checking for spec and enforcementAction being in the generated string.
yiraeChristineKim
force-pushed
the
ACM-11076
branch
3 times, most recently
from
53d65bb to
1215ea5
Compare
internal/utils.go
Outdated
|
|
||
| // setGatekeeperEnforcementAction function override gatekeeper.constraint.enforcementAction | ||
| func setGatekeeperEnforcementAction(manifest map[string]interface{}, enforcementAction string) error { | ||
| apiVersion, found, err := unstructured.NestedString(manifest, "apiVersion") |
There was a problem hiding this comment.
Could you return right away if enforcementAction == ""?
internal/utils.go
Outdated
| apiVersion, found, err := unstructured.NestedString(manifest, "apiVersion") | ||
| if err != nil { | ||
| return fmt.Errorf("getting apiVersion has an error %w", err) | ||
| } | ||
|
|
||
| if found && strings.HasPrefix(apiVersion, "constraints.gatekeeper.sh") && enforcementAction != "" { | ||
| err := unstructured.SetNestedField(manifest, enforcementAction, "spec", "enforcementAction") | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| return nil |
There was a problem hiding this comment.
| apiVersion, found, err := unstructured.NestedString(manifest, "apiVersion") | |
| if err != nil { | |
| return fmt.Errorf("getting apiVersion has an error %w", err) | |
| } | |
| if found && strings.HasPrefix(apiVersion, "constraints.gatekeeper.sh") && enforcementAction != "" { | |
| err := unstructured.SetNestedField(manifest, enforcementAction, "spec", "enforcementAction") | |
| if err != nil { | |
| return err | |
| } | |
| } | |
| return nil | |
| if enforcementAction == "" { | |
| return nil | |
| } | |
| apiVersion, _, _ := unstructured.NestedString(manifest, "apiVersion") | |
| if strings.HasPrefix(apiVersion, "constraints.gatekeeper.sh") { | |
| err := unstructured.SetNestedField(manifest, enforcementAction, "spec", "enforcementAction") | |
| if err != nil { | |
| return err | |
| } | |
| } | |
| return nil |
There was a problem hiding this comment.
I think it would be more safe that we have error check here
apiVersion, _, err := unstructured.NestedString(manifest, "apiVersion") if err != nil { return err }
There was a problem hiding this comment.
@yiraeChristineKim that's fine but I kind of wanted to avoid validating the actual manifest in the Policy Generator and let the policy controllers handle it.
internal/utils.go
Outdated
| err := setGatekeeperEnforcementAction(manifest, | ||
| policyConf.Manifests[i].GatekeeperEnforcementAction) | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
Could you provide more context in the return error such as the manifest index and that this error occurred due to setting spec.enforcementAction?
Add a new field of `gatekeeperEnforcementAction` Default value of the field is unset and when unset, don't touch the constraint (existing behavior) If set, then directly set `spec.enforcementAction` in the Gatekeeper constraint Should be settable at the policyDefaults, policy, and manifest levels (i.e. like the `ConfigurationPolicyOptions` struct). Ref: https://issues.redhat.com/browse/ACM-11076 Signed-off-by: yiraeChristineKim <[email protected]>
yiraeChristineKim
force-pushed
the
ACM-11076
branch
from
1215ea5 to
d516264
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mprahl, yiraeChristineKim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
2 participants
gatekeeperEnforcementActionspec.enforcementActionin the Gatekeeper constraintConfigurationPolicyOptionsstruct).Ref: https://issues.redhat.com/browse/ACM-11076
Signed-off-by: yiraeChristineKim [email protected]