Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-4808

Address console issues when using ACM policy Gatekeeper integration

XMLWordPrintable

    • 2
    • False
    • None
    • False
    • ACM-2707 - ACM Gatekeeper Enhancements
    • GRC Sprint 2023-05, GRC Sprint 2023-06
    • No

      Value Statement

      In ACM-3322, the backend support was added for native Gatekeeper integration with ACM policies. There are some tweaks that are needed in the console for the integration to work nicely.

      To perform development locally, Gatekeeper should be installed either using the Gatekeeper operator or the upstream Helm chart. Additionally, the following policy can be used, though if you are using the upstream Helm chart, you'll need to change the ConstraintTemplate's APIVersion to v1.

      apiVersion: policy.open-cluster-management.io/v1
      kind: Policy
      metadata:
        name: gk-policy
        namespace: open-cluster-management-global-set
      spec:
        remediationAction: inform
        disabled: false
        policy-templates:
          - objectDefinition:
              apiVersion: templates.gatekeeper.sh/v1beta1
              kind: ConstraintTemplate
              metadata:
                name: k8srequiredlabels
              spec:
                crd:
                  spec:
                    names:
                      kind: K8sRequiredLabels
                    validation:
                      # Schema for the `parameters` field
                      openAPIV3Schema:
                        properties:
                          labels:
                            type: array
                            items: string
                targets:
                  - target: admission.k8s.gatekeeper.sh
                    rego: |
                      package k8srequiredlabels                violation[{"msg": msg, "details": {"missing_labels": missing}}] {
                        provided := {label | input.review.object.metadata.labels[label]}
                        required := {label | label := input.parameters.labels[_]}
                        missing := required - provided
                        count(missing) > 0
                        msg := sprintf("you must provide labels: %v", [missing])
                      }
          - objectDefinition:
              apiVersion: constraints.gatekeeper.sh/v1beta1
              kind: K8sRequiredLabels
              metadata:
                name: ns-must-have-gk
              spec:
                match:
                  kinds:
                    - apiGroups: [""]
                      kinds: ["Namespace"]
                parameters:
                  labels: ["gatekeeper"]
      ---
      apiVersion: cluster.open-cluster-management.io/v1beta1
      kind: Placement
      metadata:
        name: gk-policy-placement
        namespace: open-cluster-management-global-set
      spec: {}
      ---
      apiVersion: policy.open-cluster-management.io/v1
      kind: PlacementBinding
      metadata:
        name: gk-policy-placement
        namespace: open-cluster-management-global-set
      placementRef:
        name: gk-policy-placement
        apiGroup: cluster.open-cluster-management.io
        kind: Placement
      subjects:
        - name: gk-policy
          apiGroup: policy.open-cluster-management.io
          kind: Policy  

      Definition of Done for Engineering Story Owner (Checklist)

      • The console's search query when clicking on "View details" in the policy's "Results" tab should not include a namespace to the search query for Gatekeeper constraints and ConstraintTemplates. The console creates a ManagedClusterView request with ({"apiVersion":"view.open-cluster-management.io/v1beta1","kind":"ManagedClusterView","metadata":{"name":"2553352ec733ab71e2ded9369e78ad3f11047c7d","namespace":"local-cluster","labels":{"viewName":"2553352ec733ab71e2ded9369e78ad3f11047c7d"}},"spec":{"scope": {"name":"ns-must-have-gk","resource":"k8srequiredlabels.v1beta1.constraints.gatekeeper.sh","namespace":"local-cluster"}

        }}). The namespace should be omitted. The logic can be if it detects a policy-template with the `gatekeeper.sh` domain in the API group, the namespace is omitted from the query. Note that the console's service account permissions may need to be adjusted to compensate for this. More research is needed on this.

      • In the create and edit policy wizard, the severity is a required field for all policy templates. This should not apply to Gatekeeper constraints and ConstraintTemplates as there is no severity field in this case.
      • In the create and edit policy wizard, if the policy template is a Gatekeeper constraint or ConstraintTemplate, the "Remediation" section should be removed since it does not apply.

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [x] Unit/function tests have been automated and incorporated into the
        build.
      • [x] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [x] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      Support Readiness

      • [x] The must-gather script has been updated.

       

          There are no Sub-Tasks for this issue.

              mprahl Matthew Prahl
              mprahl Matthew Prahl
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: