Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-13278

Improve search indexing of Gatekeeper constraints

XMLWordPrintable

    • GRC Sprint 2024-16, GRC Sprint 2024-17
    • None

      Value Statement

      Gatekeeper constraints are variable in that the user defines a ConstraintTemplate which causes a CRD to be generated. This means the resource types to index in search are not known ahead of time. The current way that CRDs are discovered by the search collector is via polling. This makes picking up new Gatekeeper constraints slow. Additionally, the fields needed for the "Discovered Policies" UI are not indexed by Search.

      After talking with jpadilla@redhat.com, we agreed that the GRC squad would contribute making the CRD discovery event driven and to automatically index columns listed in the additionalPrinterColumns array in the CRD. The latter is limited to just Gatekeeper constraints for now, but the code is generic and can be enabled for all other resources.

       

      Additionally, these columns must also be collected:

      • severity from the special annotation <- annotations["policy.open-cluster-management.io/severity"]
      • _isExternal like the policy types

      Definition of Done for Engineering Story Owner (Checklist)

      • A new Gatekeeper constraint CRD is recognized by search within 30 seconds.
      • Gatekeeper constraints also have their "spec.enforcementAction" and "status.totalViolations" fields indexed.

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [ ] Unit/function tests have been automated and incorporated into the
        build.
      • [ ] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [ ] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      • [ ] Create an informative documentation issue using the Customer

      Portal Doc template that you can access from [The Playbook](

      https://docs.google.com/document/d/1YTqpZRH54Bnn4WJ2nZmjaCoiRtqmrc2w6DdQxe_yLZ8/edit#heading=h.9fvyr2rdriby),

      and ensure doc acceptance criteria is met.

      • Call out this sentence as it's own action:
      • [ ] Link the development issue to the doc issue.

      Support Readiness

      • [ ] The must-gather script has been updated.

              mprahl Matthew Prahl
              mprahl Matthew Prahl
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: