-
Story
-
Resolution: Done-Errata
-
Major
-
None
-
3
-
False
-
None
-
False
-
ACM-2707 - ACM Gatekeeper Enhancements
-
-
-
3
-
GRC Sprint 2023-17, GRC Sprint 2023-18, GRC Sprint 2023-19, GRC Sprint 2023-20, GRC Sprint 2023-21, GRC Sprint 2023-22, GRC Sprint 2023-23
-
No
Feature Overview
Ref: https://redhat-internal.slack.com/archives/CTDEY6EEA/p1694524800469699 c
Goals
As a gatekeeper user, I want to edit gatekeeper validatingWebhookconfiguration. currently it is hard-coded https://github.com/openshift/gatekeeper-operator/blob/2fa3914258f90ceeba2957222bad3bc0c9a13095/pkg/bindata/bindata.go#L71-L124
Requirements
- Discuss with our team and find the best way to approach editing validatingWebhookconfiguration
- Plan
- After discussion and plan, implement
OPA Related Article: https://open-policy-agent.github.io/gatekeeper/website/docs/customize-admission/ (
Test cases
Gatekeeper cr has spec.webhook.operations = ["CREATE", "UPDATE", "CONNECT, "DELETE"].
ValidatingWebhookConfiguration and MutatingWebhookConfiguration **
Rules.Operations should have "CREATE", "UPDATE", "CONNECT, "DELTETE" In other words, overwritten by "CREATE", "UPDATE", "CONNECT, "DELTETE"
e2e tests example
It("Override Webhook operations with Create, Update, Delete, Connect", func() { gatekeeper:=&v1alpha1.Gatekeeper{ ObjectMeta: metav1.ObjectMeta{ Namespace: gatekeeperNamespace, Name: "gatekeeper", }, Spec: v1alpha1.GatekeeperSpec{ Webhook: &v1alpha1.WebhookConfig{ Operations: []v1alpha1.OperationType{ "CREATE", "UPDATE", "CONNECT", "DELETE", }, }, }, } Expect(K8sClient.Create(ctx, gatekeeper)).Should(Succeed()) By("Wait until new Deployments loaded") gatekeeperDeployments() By("ValidatingWebhookConfiguration Rules should have 4 operations") validatingWebhookConfiguration:=&admregv1.ValidatingWebhookConfiguration{} Eventually(func(gGomega) { err:=K8sClient.Get(ctx, validatingWebhookName, validatingWebhookConfiguration) g.Expect(err).ShouldNot(HaveOccurred()) g.Expect(validatingWebhookConfiguration.Webhooks[0].Rules[0].Operations).Should(HaveLen(4)) g.Expect(validatingWebhookConfiguration.Webhooks[1].Rules[0].Operations).Should(HaveLen(4)) }, timeout, pollInterval).Should(Succeed()) By("MutatingWebhookConfiguration Rules should have 4 operations") mutatingWebhookConfiguration:=&admregv1.MutatingWebhookConfiguration{} Eventually(func(gGomega) { err:=K8sClient.Get(ctx, mutatingWebhookName, mutatingWebhookConfiguration) g.Expect(err).ShouldNot(HaveOccurred()) g.Expect(mutatingWebhookConfiguration.Webhooks[0].Rules[0].Operations).Should(HaveLen(4)) }, timeout, pollInterval).Should(Succeed()) gatekeeper.Spec.Webhook.Operations= []v1alpha1.OperationType{"*"} Expect(K8sClient.Update(ctx, gatekeeper)).Should(Succeed()) By("ValidatingWebhookConfiguration Rules should have 1 operations") Eventually(func(gGomega) { err:=K8sClient.Get(ctx, validatingWebhookName, validatingWebhookConfiguration) g.Expect(err).ShouldNot(HaveOccurred()) g.Expect(validatingWebhookConfiguration.Webhooks[0].Rules[0].Operations).Should(HaveLen(1)) g.Expect(validatingWebhookConfiguration.Webhooks[0].Rules[0].Operations[0]).Should(BeEquivalentTo("*")) g.Expect(validatingWebhookConfiguration.Webhooks[1].Rules[0].Operations).Should(HaveLen(1)) g.Expect(validatingWebhookConfiguration.Webhooks[1].Rules[0].Operations[0]).Should(BeEquivalentTo("*")) }, timeout*2, pollInterval).Should(Succeed()) By("MutatingWebhookConfiguration Rules should have 1 operations") Eventually(func(gGomega) { err:=K8sClient.Get(ctx, mutatingWebhookName, mutatingWebhookConfiguration) g.Expect(err).ShouldNot(HaveOccurred()) g.Expect(mutatingWebhookConfiguration.Webhooks[0].Rules[0].Operations).Should(HaveLen(1)) g.Expect(mutatingWebhookConfiguration.Webhooks[0].Rules[0].Operations[0]).Should(BeEquivalentTo("*")) }, timeout, pollInterval).Should(Succeed()) }) })
- relates to
-
ACM-9084 [Doc]Add editable validatingWebhookconfiguration
-
- Closed
-
- links to
-
RHEA-2023:125635
Gatekeeper v3.14.0