gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Allow wildcards in resource syncing specification

Open skaven81 opened this issue 1 year ago • 14 comments

Describe the solution you'd like In the Gatekeeper config resource, the syncOnly section requires that resources be fully qualified with a group, version and kind. There are types of resources (Gatekeeper Constraints come to mind) where one or more of these values is not known. It is also often the case that multiple versions of resources (such as the various API versions of Ingress resources) are desired to be synced, without needing to explicitly list each one.

Currently, specifying wildcards results in an error:

  sync:
    syncOnly:
    - group: ""
      kind: Namespace
      version: v1
    - group: ""
      kind: Pod
      version: v1
->  - group: constraints.gatekeeper.sh
->    kind: '*'
->    version: '*'

{"level":"error","ts":1696895322.1075552,"msg":"Reconciler error","controller":"config-controller","object":{"name":"config","namespace":"cattle-gatekeeper-system"},"namespace":"cattle-gatekeeper-system","name":"config","reconcileID":"03a42281-bd99-48a7-9e28-c1600d29f750","error":"adding watch for constraints.gatekeeper.sh/*, Kind=* getting informer for kind: constraints.gatekeeper.sh/*, Kind=* no matches for kind \"*\" in version \"constraints.gatekeeper.sh/*\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234"}

Environment:

  • Gatekeeper version: 3.10.0
  • Kubernetes version: (use kubectl version): version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}

skaven81 avatar Oct 09 '23 23:10 skaven81

hey @skaven81 thanks for opening this. It sounds like this is a dupe of https://github.com/open-policy-agent/gatekeeper/issues/1664

acpana avatar Oct 17 '23 23:10 acpana

Sort of...#1664 asks to make the version optional. I'd like to see all the fields made optional (though I would understand if Gatekeeper rejected [group: *, version: *, kind: *] as that would likely be a mistake).

But there are absolutely use-cases where I'd want to sync in all resources of a given API group, or maybe all resources that have the same kind (even if they're in different API groups, such as the different iterations of Ingress a while back).

So I'd say my request is a superset of #1664, not a dupe.

skaven81 avatar Oct 18 '23 00:10 skaven81

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 17 '23 09:12 stale[bot]

Bumping as this is not stale

skaven81 avatar Dec 18 '23 01:12 skaven81

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 16 '24 21:02 stale[bot]

Bumping as not stale

skaven81 avatar Feb 16 '24 22:02 skaven81

@skaven81 does the comment in https://github.com/open-policy-agent/gatekeeper/issues/1664#issuecomment-1524089910 address the pain point you're seeing?

Basically, if there was some way to suss out what resources constraint templates require and sync those (and only those) would that moot the issue?

maxsmythe avatar Feb 22 '24 01:02 maxsmythe

Yes, I think that sums it up ... mostly. The "durability over upgrades" is of course one of the issues. But that only addresses the apiVersion part. The group is also important to have wildcard flexibility (arguably for the same reason). The Ingress resource changed groups mid-stream from extensions.k8s.io to networking.k8s.io, and so when that change happened, I would have needed to update the Config to ensure Ingresses kept syncing. In some cases, at the cluster admin's discretion, it should be possible to tell Gatekeeper to sync all resources that match a given kind, or ALL the kinds in a given group.

I just want that flexibility and to not be tied into an arbitrary model of GVK specifications when ultimately all we're doing with syncOnly is composing a list. And it's frustrating to not have tools like wildcards available for all the fields when building a list like this.

skaven81 avatar Feb 22 '24 02:02 skaven81

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 23 '24 01:04 stale[bot]

Not stale

skaven81 avatar Apr 24 '24 22:04 skaven81

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jun 24 '24 03:06 stale[bot]

Not stale

wrdls avatar Jun 24 '24 15:06 wrdls

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 24 '24 03:08 stale[bot]

not stale

JaydipGabani avatar Aug 27 '24 17:08 JaydipGabani