gatekeeper
gatekeeper copied to clipboard
Deploy gatekeeper ConstraintTemplate and Constraint with flux
I'm using basic example of gatekeeper policy and I'm trying to deploy them with flux
My template:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8srequiredlabels
spec:
crd:
spec:
names:
kind: K8sRequiredLabels
validation:
# Schema for the `parameters` field
openAPIV3Schema:
type: object
properties:
labels:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequiredlabels
violation[{"msg": msg, "details": {"missing_labels": missing}}] {
provided := {label | input.review.object.metadata.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
count(missing) > 0
msg := sprintf("you must provide labels: %v", [missing])
}
My constraint:
kind: K8sRequiredLabels
metadata:
name: ns-must-have-gk
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels: ["gatekeeper"]
My kustomization:
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./all-ns-must-have-gatekeeper-label-template.yaml
- ./all-ns-must-have-gatekeeper-label-constraint.yaml
If I'm deploying only the template then the constraint by commenting kustomization lines, it's work.
However, if I'm leaving both template and constraint together, I'm getting this error policies.all-ns-must-have-gatekeeper-label False K8sRequiredLabels/ns-must-have-gk dry-run failed, error: no matches for kind "K8sRequiredLabels" in version "constraints.gatekeeper.sh/v1beta1"
The constraint doesn't deploy before the template is not found and the template is not deployed either.
How can I specify/force to deploy first the template then the constraint? I tried to switch resource order in kustomization but no success. Deploying manually template and constraint work. May be a dependsOn in constraint spec could fix this problem
I'm working on AKS 1.21
Environment:
- Gatekeeper version: chart version gatekeeper-3.8.1 v3.8.1 app version v3.8.1
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.15", GitCommit:"8f1e5bf0b9729a899b8df86249b56e2c74aebc55", GitTreeState:"clean", BuildDate:"2022-01-19T17:27:39Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9", GitCommit:"79b7a589d688b7dc8a55306c9c225ed7712df10d", GitTreeState:"clean", BuildDate:"2022-04-21T07:41:38Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}
Gatekeeper creates a constraint CustomResourceDefinition
(CRD) on the K8s cluster when it notices a ConstraintTemplate
. This CRD is needed otherwise Kubernetes wont know how to recognize the constraint.
It appears that flux is trying to apply the constraint without first waiting for the CRD to be created/initialized. There are ways to know if the constraint CRD is created by either:
- looking for it to appear (the name of the CRD is derived from the name of the template)
- watching the
status
field of the constraint template for a necessary condition (e.g.status.created
being set.
I've not worked with Flux, so I'm not sure how/if Flux can be configured to do this. Their project would be better able to advise on that part.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
Hello @ericmenard I have achieved this by using 2 kustomizations with dependsOn. Here is Flux configuration example from AKS deployment:
fluxKustomizations: {
infra: {
path: './infrastructure'
syncIntervalInSeconds: 120
prune: true
}
opaconstraints: {
path: './opa-constraints'
syncIntervalInSeconds: 120
prune: true
dependsOn: [
'opatemplates'
]
}
opatemplates: {
path: './opa-templates'
syncIntervalInSeconds: 120
prune: true
dependsOn: [
'infra'
]
}
apps: {
path: './apps'
syncIntervalInSeconds: 120
prune: false //Not to accidentally delete something what belongs to user
}
}
Hope this helps
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.