gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Deploy gatekeeper ConstraintTemplate and Constraint with flux

Open ericmenard opened this issue 2 years ago • 2 comments

I'm using basic example of gatekeeper policy and I'm trying to deploy them with flux

My template:

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            labels:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels

        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("you must provide labels: %v", [missing])
        }

My constraint:

kind: K8sRequiredLabels
metadata:
  name: ns-must-have-gk
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    labels: ["gatekeeper"]

My kustomization:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ./all-ns-must-have-gatekeeper-label-template.yaml
  - ./all-ns-must-have-gatekeeper-label-constraint.yaml

If I'm deploying only the template then the constraint by commenting kustomization lines, it's work. However, if I'm leaving both template and constraint together, I'm getting this error policies.all-ns-must-have-gatekeeper-label False K8sRequiredLabels/ns-must-have-gk dry-run failed, error: no matches for kind "K8sRequiredLabels" in version "constraints.gatekeeper.sh/v1beta1"

The constraint doesn't deploy before the template is not found and the template is not deployed either.

How can I specify/force to deploy first the template then the constraint? I tried to switch resource order in kustomization but no success. Deploying manually template and constraint work. May be a dependsOn in constraint spec could fix this problem

I'm working on AKS 1.21

Environment:

  • Gatekeeper version: chart version gatekeeper-3.8.1 v3.8.1 app version v3.8.1

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.15", GitCommit:"8f1e5bf0b9729a899b8df86249b56e2c74aebc55", GitTreeState:"clean", BuildDate:"2022-01-19T17:27:39Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.9", GitCommit:"79b7a589d688b7dc8a55306c9c225ed7712df10d", GitTreeState:"clean", BuildDate:"2022-04-21T07:41:38Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}

ericmenard avatar May 11 '22 18:05 ericmenard

Gatekeeper creates a constraint CustomResourceDefinition (CRD) on the K8s cluster when it notices a ConstraintTemplate. This CRD is needed otherwise Kubernetes wont know how to recognize the constraint.

It appears that flux is trying to apply the constraint without first waiting for the CRD to be created/initialized. There are ways to know if the constraint CRD is created by either:

  • looking for it to appear (the name of the CRD is derived from the name of the template)
  • watching the status field of the constraint template for a necessary condition (e.g. status.created being set.

I've not worked with Flux, so I'm not sure how/if Flux can be configured to do this. Their project would be better able to advise on that part.

maxsmythe avatar May 17 '22 00:05 maxsmythe

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 24 '22 18:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 11 '22 02:10 stale[bot]

Hello @ericmenard I have achieved this by using 2 kustomizations with dependsOn. Here is Flux configuration example from AKS deployment:

fluxKustomizations: {
      infra: {
        path: './infrastructure'
        syncIntervalInSeconds: 120
        prune: true
      }
      opaconstraints: {
        path: './opa-constraints'
        syncIntervalInSeconds: 120
        prune: true
        dependsOn: [
          'opatemplates'
        ]
      }
      opatemplates: {
        path: './opa-templates'
        syncIntervalInSeconds: 120
        prune: true
        dependsOn: [
          'infra'
        ]
      }
      apps: {
        path: './apps'
        syncIntervalInSeconds: 120
        prune: false //Not to accidentally delete something what belongs to user
      }
    }

image

image

Hope this helps

oleksandrtroshyn avatar Oct 24 '22 08:10 oleksandrtroshyn

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 23 '22 11:12 stale[bot]