compliantkubernetes-apps
compliantkubernetes-apps copied to clipboard
elastisys
Upgrade gatekeeper v3.15.1
[!warning] This is a public repository, ensure not to disclose:
- [x] personal data beyond what is necessary for interacting with this pull request, nor
- [x] business confidential information, such as customer names.
What kind of PR is this?
Required: Mark one of the following that is applicable:
- [ ] kind/feature
- [x] kind/improvement
- [ ] kind/deprecation
- [ ] kind/documentation
- [ ] kind/clean-up
- [ ] kind/bug
- [ ] kind/other
Optional: Mark one or more of the following that are applicable:
[!important] Breaking changes should be marked
kind/admin-changeorkind/dev-changedepending on type Critical security fixes should be marked withkind/security
- [ ] kind/admin-change
- [ ] kind/dev-change
- [ ] kind/security
- [ ] kind/adr
Release notes
Gatekeeper upgrade to v3.15.1
What does this PR do / why do we need this PR?
Upgrades Gatekeeper from v3.11.0 to v3.15.1.
There are a lot of smaller changes and bug fixes. I have picked out some noteworthy changes that we may be interested in.
- a new validation admission policy (VAP) driver which uses kubernetes Common Expression Language.
- Upgrades OPA to v0.57.1
- (Alpha) Emits admission violations as Kubernetes Events, disabled by default.
- Add Recommended Helm/K8s labels
- Supports DELETE configs validation
- Fixes #1911
Information to reviewers
Checklist
- [x] Proper commit message prefix on all commits
- Change checks:
- [ ] The change is transparent
- [x] The change is disruptive
- [x] The change requires no migration steps
- [ ] The change requires migration steps
- [x] The change upgrades CRDs
- Metrics checks:
- [ ] The metrics are still exposed and present in Grafana after the change
- [ ] The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
- [ ] The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
- Logs checks:
- [ ] The logs do not show any errors after the change
- Pod Security Policy checks:
- [ ] Any changed pod is covered by Pod Security Admission
- [ ] Any changed pod is covered by Gatekeeper Pod Security Policies
- [x] The change does not cause any pods to be blocked by Pod Security Admission or Policies
- Network Policy checks:
- [ ] Any changed pod is covered by Network Policies
- [x] The change does not cause any dropped packets in the
NetworkPolicy Dashboard
- Audit checks:
- [ ] The change does not cause any unnecessary Kubernetes audit events
- [ ] The change requires changes to Kubernetes audit policy
- Falco checks:
- [ ] The change does not cause any alerts to be generated by Falco
- Bug checks:
- [ ] The bug fix is covered by regression tests
- Config checks:
- [ ] The schema was updated
Have you looked anything at the new CRDs that are introduced in this upgrade and if anything there is worth noting :)?
Have you looked anything at the new CRDs that are introduced in this upgrade and if anything there is worth noting :)?
Yes I had a look at them and concluded that they were not really interesting for us.
- What I understand ExpansionTemplate is used by gatekeeper to create dummy resources to validate
- SyncSet is used by gatekeeper to cache resources it will validate against.
- AssignImage could be interesting, as it is specific for mutating image strings. But I do not see us being able to use it. As images do not follow the same structure.