gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Add support for metadata.gatekeeper.sh/requires-sync-data

Open apeabody opened this issue 2 years ago • 10 comments

Describe the solution you'd like Write an error in status if the required data specified in metadata.gatekeeper.sh/requiresSyncData is not part of the sync resource.

Background: https://github.com/open-policy-agent/gatekeeper-library/pull/251#discussion_r1017261095

apeabody avatar Nov 09 '22 01:11 apeabody

we have a similar issue for GK version: https://github.com/open-policy-agent/frameworks/issues/240 it would be nice to align checking for these metadata fields

sozercan avatar Nov 09 '22 04:11 sozercan

Are we validating only on constraint creation or is the mere existence of a constraint with this annotation on the cluster enough to require that resource to be synced?

anlandu avatar Nov 28 '22 22:11 anlandu

IMO existence... this can be checked by looking at the value of the sync config:

  • any time a constraint is created/updated
  • any time the sync config is modified

This will probably require adding a watch on the sync config to the constraint reconciler (or vice versa). Because constraints are dynamically typed (e.g. their kinds are not known in advance), this may be difficult to do.

maxsmythe avatar Nov 29 '22 01:11 maxsmythe

https://github.com/open-policy-agent/gatekeeper-library/issues/264#issuecomment-1353307559

anlandu avatar Dec 16 '22 03:12 anlandu

Hi @apeabody are you by chance working on this? I was thinking of picking it up

anlandu avatar Jan 18 '23 21:01 anlandu

Hi @anlandu - Thanks for reaching out! I'm not currently working on this, but I think it is valuable.

apeabody avatar Jan 18 '23 21:01 apeabody

Docs for this should be added as well: https://github.com/open-policy-agent/gatekeeper-library/issues/261

julianKatz avatar Feb 10 '23 19:02 julianKatz

@anlandu @julianKatz @acpana can you please update this issue with still remains in order to close that issue out? thank you!

ritazh avatar Oct 11 '23 16:10 ritazh

can you please update this issue with still remains in order to close that issue out? thank you!

Sure, I can take a stab at answering that:

#3030 adds the sync_controller and readiness support for syncsets

There is still a need to design and implement the error reporting/ UX being described in the proposal for when a ConstraintTemplate doesn't have a GVK covered by any of the sync sources (syncsets or config).

acpana avatar Oct 12 '23 01:10 acpana

SyncSet integration with metadata.gatekeeper.sh/requires-sync-data blocker:

  • status reporting on the constraintTemplate
  • generate SyncSet resources (as part of gator), we do not want GK to generate SyncSet due to privilege escalation

Before the integration is in place, this annotation is used as informational and documentation. With Gator sync test support, users can discover the lack of SyncSet resource as part of the test suite.

ritazh avatar Jan 03 '24 17:01 ritazh