feat(gatekeeper-config): ingress and monitoring policies#1718
Draft
mikolajkucinski wants to merge 9 commits into
Draft
feat(gatekeeper-config): ingress and monitoring policies#1718mikolajkucinski wants to merge 9 commits into
mikolajkucinski wants to merge 9 commits into
Conversation
Add the gatekeeper-config PluginDefinition skeleton: - chart structure, - shared Rego libraries in _helpers.tpl - plugindefinition with per-policy options pattern - README - CI workflow entry. - high-cpu-requests, unmanaged-pods policies as a proof of the pattern On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
- Expose policies.highCpuRequests.maxCpu as a configurable parameter - Guard canonify_cpu string-parsing branches with is_string(orig) On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
- cover add_support_labels and traversal libs plus the high-cpu-requests and unmanaged-pods policies - install gator and run the suite on every PR touching gatekeeper-config/** via new workflow On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
- add forbidden-clusterwide-objects, images-from-approved-registries, pci-forbidden-images, pod-required-labels, pod-security-v2 - bump chart and PluginDefinition to 0.2.0 On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
- add ingress-annotations (two Constraints sharing one template), ingress-annotations-migration, prometheus-scrape-annotations - bump chart and PluginDefinition to 0.3.0 On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
…olicies On-behalf-of: @SAP <mikolaj.kucinski@sap.com> Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds the next batch of gatekeeper-config migration content by introducing a new Greenhouse gatekeeper-config PluginDefinition plus a Helm chart that ships Gatekeeper ConstraintTemplates/Constraints for ingress- and monitoring-related admission policies, along with a gator-based unit test suite and CI workflow.
Changes:
- Register the new
gatekeeper-configPluginDefinition in the rootkustomization.yamland include its Helm chart in the Helm release workflow matrix. - Add the
gatekeeper-configPluginDefinition + Helm chart implementing multiple Gatekeeper policies (ingress annotations, Prometheus scrape annotation validation, plus additional baseline policies). - Add gator fixtures/suite + a dedicated GitHub Actions workflow to run policy unit tests on PRs.
Reviewed changes
Copilot reviewed 92 out of 92 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| kustomization.yaml | Registers the new gatekeeper-config PluginDefinition as a kustomize-managed resource. |
| .github/workflows/helm-release.yaml | Publishes the new gatekeeper-config Helm chart to GHCR. |
| .github/workflows/gatekeeper-config-tests.yaml | Runs gator policy tests in CI for gatekeeper-config changes. |
| gatekeeper-config/README.md | Documents the gatekeeper-config plugin and local test execution. |
| gatekeeper-config/plugindefinition.yaml | Defines the gatekeeper-config PluginDefinition and policy options. |
| gatekeeper-config/charts/Chart.yaml | Declares the Helm chart metadata for gatekeeper-config. |
| gatekeeper-config/charts/values.yaml | Provides default enablement/enforcementAction values for policies. |
| gatekeeper-config/charts/templates/_helpers.tpl | Adds shared Rego libraries (support labels + ownership traversal). |
| gatekeeper-config/charts/templates/constrainttemplate-high-cpu-requests.yaml | Implements the high CPU requests policy template. |
| gatekeeper-config/charts/templates/constraint-high-cpu-requests.yaml | Installs the high CPU requests constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-unmanaged-pods.yaml | Implements the unmanaged Pods policy template. |
| gatekeeper-config/charts/templates/constraint-unmanaged-pods.yaml | Installs the unmanaged Pods constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-forbidden-clusterwide-objects.yaml | Implements the forbidden clusterwide objects policy template. |
| gatekeeper-config/charts/templates/constraint-forbidden-clusterwide-objects.yaml | Installs the forbidden clusterwide objects constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-images-from-approved-registries.yaml | Implements the approved registries policy template. |
| gatekeeper-config/charts/templates/constraint-images-from-approved-registries.yaml | Installs the approved registries constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-pci-forbidden-images.yaml | Implements the PCI forbidden images policy template. |
| gatekeeper-config/charts/templates/constraint-pci-forbidden-images.yaml | Installs the PCI forbidden images constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-pod-required-labels.yaml | Implements the required pod labels policy template. |
| gatekeeper-config/charts/templates/constraint-pod-required-labels.yaml | Installs the required pod labels constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-pod-security-v2.yaml | Implements the pod security v2 policy template + allowlist logic. |
| gatekeeper-config/charts/templates/constraint-pod-security-v2.yaml | Installs the pod security v2 constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-ingress-annotations.yaml | Implements the ingress annotations policy template (regex-driven). |
| gatekeeper-config/charts/templates/constraint-ingress-annotations-insecure-snippets.yaml | Installs the “insecure snippets” ingress annotations constraint. |
| gatekeeper-config/charts/templates/constraint-ingress-annotations-wrong-prefix.yaml | Installs the “wrong prefix” ingress annotations constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-ingress-annotations-migration.yaml | Implements the ingress annotation prefix migration policy template. |
| gatekeeper-config/charts/templates/constraint-ingress-annotations-migration.yaml | Installs the ingress annotation migration constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-prometheus-scrape-annotations.yaml | Implements the Prometheus scrape/targets annotation validation template. |
| gatekeeper-config/charts/templates/constraint-prometheus-scrape-annotations.yaml | Installs the Prometheus scrape annotations constraint. |
| gatekeeper-config/charts/templates/constrainttemplate-libtest-add-support-labels.yaml | Test-only template for support-label library validation. |
| gatekeeper-config/charts/templates/constraint-libtest-add-support-labels.yaml | Test-only constraint for support-label library validation. |
| gatekeeper-config/charts/templates/constrainttemplate-libtest-traversal.yaml | Test-only template for traversal library validation. |
| gatekeeper-config/charts/templates/constraint-libtest-traversal.yaml | Test-only constraint for traversal library validation. |
| gatekeeper-config/tests/.gitignore | Ignores rendered Helm output for local test runs. |
| gatekeeper-config/tests/run.sh | Renders the chart and runs gator verification locally/CI. |
| gatekeeper-config/tests/suite.yaml | Defines the gator test suite for libraries and policies. |
| gatekeeper-config/tests/values-test.yaml | Supplies Helm values enabling policies for the test suite. |
| gatekeeper-config/tests/fixtures/libtest-add-support-labels/pod-filled.yaml | Fixture for support-label library (label present). |
| gatekeeper-config/tests/fixtures/libtest-add-support-labels/pod-missing.yaml | Fixture for support-label library (label missing). |
| gatekeeper-config/tests/fixtures/libtest-traversal/cronjob.yaml | Fixture for traversal library (CronJob template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/daemonset.yaml | Fixture for traversal library (DaemonSet template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/deployment.yaml | Fixture for traversal library (Deployment template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/job.yaml | Fixture for traversal library (Job template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/replicaset.yaml | Fixture for traversal library (ReplicaSet template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/statefulset.yaml | Fixture for traversal library (StatefulSet template). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod.yaml | Fixture for traversal library (standalone Pod). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-minimal.yaml | Fixture for traversal library (minimal Pod). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-in-daemonset.yaml | Fixture for traversal library (Pod suppressed by DaemonSet owner). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-in-job.yaml | Fixture for traversal library (Pod suppressed by Job owner). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-in-replicaset.yaml | Fixture for traversal library (Pod suppressed by ReplicaSet owner). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-in-statefulset.yaml | Fixture for traversal library (Pod suppressed by StatefulSet owner). |
| gatekeeper-config/tests/fixtures/libtest-traversal/pod-in-unknown-owner.yaml | Fixture for traversal library (unknown owner should not suppress). |
| gatekeeper-config/tests/fixtures/libtest-traversal/job-in-cronjob.yaml | Fixture for traversal library (Job suppressed by CronJob owner). |
| gatekeeper-config/tests/fixtures/libtest-traversal/replicaset-in-deployment.yaml | Fixture for traversal library (ReplicaSet suppressed by Deployment owner). |
| gatekeeper-config/tests/fixtures/high-cpu-requests/pod-failure.yaml | Fixture for high CPU requests (violation case). |
| gatekeeper-config/tests/fixtures/high-cpu-requests/pod-close-violation.yaml | Fixture for high CPU requests (non-violation close to threshold). |
| gatekeeper-config/tests/fixtures/high-cpu-requests/pod-only-one-limit.yaml | Fixture for high CPU requests (partial requests). |
| gatekeeper-config/tests/fixtures/high-cpu-requests/pod-no-limits.yaml | Fixture for high CPU requests (no requests). |
| gatekeeper-config/tests/fixtures/high-cpu-requests/pod-malformed-cpu.yaml | Fixture for high CPU requests (malformed CPU quantity). |
| gatekeeper-config/tests/fixtures/unmanaged-pods/pod-without-owner.yaml | Fixture for unmanaged pods (violation case). |
| gatekeeper-config/tests/fixtures/unmanaged-pods/pod-in-deployment.yaml | Fixture for unmanaged pods (managed pod should pass). |
| gatekeeper-config/tests/fixtures/unmanaged-pods/pv-recycler-pod.yaml | Fixture for unmanaged pods (allowed via name pattern). |
| gatekeeper-config/tests/fixtures/unmanaged-pods/pod-with-prefix-bypass.yaml | Fixture for unmanaged pods (pattern anchoring test). |
| gatekeeper-config/tests/fixtures/forbidden-clusterwide-objects/mwc-allowed.yaml | Fixture for forbidden clusterwide objects (allowed MWC). |
| gatekeeper-config/tests/fixtures/forbidden-clusterwide-objects/mwc-disallowed.yaml | Fixture for forbidden clusterwide objects (disallowed MWC). |
| gatekeeper-config/tests/fixtures/forbidden-clusterwide-objects/vwc-allowed.yaml | Fixture for forbidden clusterwide objects (allowed VWC). |
| gatekeeper-config/tests/fixtures/images-from-approved-registries/pod-approved.yaml | Fixture for approved registries (allowed image). |
| gatekeeper-config/tests/fixtures/images-from-approved-registries/pod-unapproved.yaml | Fixture for approved registries (disallowed image). |
| gatekeeper-config/tests/fixtures/images-from-approved-registries/pod-mixed-containers.yaml | Fixture for approved registries (mixed containers). |
| gatekeeper-config/tests/fixtures/pci-forbidden-images/pod-busybox-flagged.yaml | Fixture for PCI forbidden images (busybox flagged). |
| gatekeeper-config/tests/fixtures/pci-forbidden-images/pod-init-busybox-flagged.yaml | Fixture for PCI forbidden images (initContainer busybox flagged). |
| gatekeeper-config/tests/fixtures/pci-forbidden-images/pod-allowed.yaml | Fixture for PCI forbidden images (allowed case). |
| gatekeeper-config/tests/fixtures/pod-required-labels/pod-with-label.yaml | Fixture for required labels (pod has label). |
| gatekeeper-config/tests/fixtures/pod-required-labels/pod-missing-label.yaml | Fixture for required labels (pod missing label). |
| gatekeeper-config/tests/fixtures/pod-required-labels/deployment-template-missing.yaml | Fixture for required labels (template missing label). |
| gatekeeper-config/tests/fixtures/pod-security-v2/pod-host-network-violation.yaml | Fixture for pod security v2 (hostNetwork violation). |
| gatekeeper-config/tests/fixtures/pod-security-v2/pod-host-network-allowlisted.yaml | Fixture for pod security v2 (hostNetwork allowlisted). |
| gatekeeper-config/tests/fixtures/pod-security-v2/pod-privileged-violation.yaml | Fixture for pod security v2 (privileged violation). |
| gatekeeper-config/tests/fixtures/pod-security-v2/pod-capability-violation.yaml | Fixture for pod security v2 (capability violation). |
| gatekeeper-config/tests/fixtures/pod-security-v2/pod-readonly-machine-id-pass.yaml | Fixture for pod security v2 (readonly hostPath allowed). |
| gatekeeper-config/tests/fixtures/ingress-annotations/ingress-auth-snippet-modern.yaml | Fixture for ingress annotations (modern auth-snippet flagged). |
| gatekeeper-config/tests/fixtures/ingress-annotations/ingress-modsecurity-snippet-legacy.yaml | Fixture for ingress annotations (legacy modsecurity-snippet flagged). |
| gatekeeper-config/tests/fixtures/ingress-annotations/ingress-no-snippet.yaml | Fixture for ingress annotations (no violation). |
| gatekeeper-config/tests/fixtures/ingress-annotations/ingress-legacy-prefix.yaml | Fixture for ingress annotations (legacy prefix flagged). |
| gatekeeper-config/tests/fixtures/ingress-annotations/ingress-modern-prefix.yaml | Fixture for ingress annotations (modern prefix allowed). |
| gatekeeper-config/tests/fixtures/ingress-annotations-migration/ingress-old-only.yaml | Fixture for annotation migration (old only violation). |
| gatekeeper-config/tests/fixtures/ingress-annotations-migration/ingress-new-only.yaml | Fixture for annotation migration (new only violation). |
| gatekeeper-config/tests/fixtures/ingress-annotations-migration/ingress-both-matching.yaml | Fixture for annotation migration (matching values pass). |
| gatekeeper-config/tests/fixtures/ingress-annotations-migration/ingress-both-mismatched.yaml | Fixture for annotation migration (mismatched values violation). |
| gatekeeper-config/tests/fixtures/prometheus-scrape-annotations/pod-scrape-true-no-targets.yaml | Fixture for Prometheus scrape annotations (missing targets violation). |
| gatekeeper-config/tests/fixtures/prometheus-scrape-annotations/pod-scrape-false.yaml | Fixture for Prometheus scrape annotations (scrape=false pass). |
| gatekeeper-config/tests/fixtures/prometheus-scrape-annotations/service-scrape-true-no-targets.yaml | Fixture for Prometheus scrape annotations (Service missing targets violation). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+33
to
+34
| - name: Run gator tests | ||
| run: gatekeeper-config/tests/run.sh | tee /tmp/gator.log |
Comment on lines
+238
to
+246
| extract_repository(image) := result if { | ||
| slash_index := indexof(image, "/") | ||
| dot_index := indexof(image, ".") | ||
| colon_index := indexof(image, ":") | ||
| at_index := indexof(image, "@") | ||
|
|
||
| start := start_position(slash_index, dot_index) | ||
| end := end_position(colon_index, at_index, count(image)) | ||
|
|
Comment on lines
+11
to
+15
| | Policy | Description | | ||
| |--------|-------------| | ||
| | `highCpuRequests` | Flags workloads that request more than `maxCpu` cores in total across containers and initContainers. | | ||
| | `unmanagedPods` | Flags Pods that have no `ownerReference` (i.e. not managed by a Deployment, DaemonSet, etc.). | | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Details
Add ingress and monitoring policies as the next batch of the
gatekeeper-configmigration.Differences vs upstream:
ingress-annotationswrong-prefixflagged the newernginx.prefix and only ran on test clusters.insecure-snippetsmatched only the old prefix. Dots in regexes left unescaped.wrong-prefixflags the legacyingress.kubernetes.io/prefix on every cluster.insecure-snippetscatches both old and new prefixes. Dots escaped so the regexes do what they look like.ingress-annotations-migrationingress-annotations. Inlining both into the same chart would collide.prometheus-scrape-annotationsConfigis syncingmonitoring.coreos.com/v1Prometheus into the OPA cache.Breaking Changes
None.
Issues Fixed
Other Relevant Information
None.