Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-4808

Address console issues when using ACM policy Gatekeeper integration

XMLWordPrintable

    • 2
    • False
    • None
    • False
    • ACM-2707 - ACM Gatekeeper Enhancements
    • GRC Sprint 2023-05, GRC Sprint 2023-06
    • No

      Value Statement

      In ACM-3322, the backend support was added for native Gatekeeper integration with ACM policies. There are some tweaks that are needed in the console for the integration to work nicely.

      To perform development locally, Gatekeeper should be installed either using the Gatekeeper operator or the upstream Helm chart. Additionally, the following policy can be used, though if you are using the upstream Helm chart, you'll need to change the ConstraintTemplate's APIVersion to v1.

      apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: gk-policy
  namespace: open-cluster-management-global-set
spec:
  remediationAction: inform
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: templates.gatekeeper.sh/v1beta1
        kind: ConstraintTemplate
        metadata:
          name: k8srequiredlabels
        spec:
          crd:
            spec:
              names:
                kind: K8sRequiredLabels
              validation:
                # Schema for the `parameters` field
                openAPIV3Schema:
                  properties:
                    labels:
                      type: array
                      items: string
          targets:
            - target: admission.k8s.gatekeeper.sh
              rego: |
                package k8srequiredlabels                violation[{"msg": msg, "details": {"missing_labels": missing}}] {
                  provided := {label | input.review.object.metadata.labels[label]}
                  required := {label | label := input.parameters.labels[_]}
                  missing := required - provided
                  count(missing) > 0
                  msg := sprintf("you must provide labels: %v", [missing])
                }
    - objectDefinition:
        apiVersion: constraints.gatekeeper.sh/v1beta1
        kind: K8sRequiredLabels
        metadata:
          name: ns-must-have-gk
        spec:
          match:
            kinds:
              - apiGroups: [""]
                kinds: ["Namespace"]
          parameters:
            labels: ["gatekeeper"]
---
apiVersion: cluster.open-cluster-management.io/v1beta1
kind: Placement
metadata:
  name: gk-policy-placement
  namespace: open-cluster-management-global-set
spec: {}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: gk-policy-placement
  namespace: open-cluster-management-global-set
placementRef:
  name: gk-policy-placement
  apiGroup: cluster.open-cluster-management.io
  kind: Placement
subjects:
  - name: gk-policy
    apiGroup: policy.open-cluster-management.io
    kind: Policy

      Definition of Done for Engineering Story Owner (Checklist)

      • The console's search query when clicking on "View details" in the policy's "Results" tab should not include a namespace to the search query for Gatekeeper constraints and ConstraintTemplates. The console creates a ManagedClusterView request with ({"apiVersion":"view.open-cluster-management.io/v1beta1","kind":"ManagedClusterView","metadata":{"name":"2553352ec733ab71e2ded9369e78ad3f11047c7d","namespace":"local-cluster","labels":{"viewName":"2553352ec733ab71e2ded9369e78ad3f11047c7d"}},"spec":{"scope": {"name":"ns-must-have-gk","resource":"k8srequiredlabels.v1beta1.constraints.gatekeeper.sh","namespace":"local-cluster"}

        }}). The namespace should be omitted. The logic can be if it detects a policy-template with the `gatekeeper.sh` domain in the API group, the namespace is omitted from the query. Note that the console's service account permissions may need to be adjusted to compensate for this. More research is needed on this.

      • In the create and edit policy wizard, the severity is a required field for all policy templates. This should not apply to Gatekeeper constraints and ConstraintTemplates as there is no severity field in this case.
      • In the create and edit policy wizard, if the policy template is a Gatekeeper constraint or ConstraintTemplate, the "Remediation" section should be removed since it does not apply.

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [x] Unit/function tests have been automated and incorporated into the
        build.
      • [x] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [x] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      Support Readiness

      • [x] The must-gather script has been updated.

       

          1.
          		 [QE] ACM-4808: Address console issues when using ACM policy Gatekeeper integration Sub-task Closed Undefined ManiKrishna Sai Ravi
          2.
          		 [QE Automation] ACM-4808: Address console issues when using ACM policy Gatekeeper integration Sub-task Closed Undefined ManiKrishna Sai Ravi

              mprahl Matthew Prahl
              mprahl Matthew Prahl
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: