gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

feat: add support for emit k8s events for allowed requests

Open DorB-P opened this issue 2 months ago • 1 comments

What this PR does / why we need it:

[ v ] Emit K8s events in gatekeeper namespace (or involved namespace if corresponding flag is on). [ v ] Update helm flag name of emitAdmissionEvents to emitDenyAdmissionEvents [ v ] Update e2e to get events with the AllowedAdmission reason [ v ] Update deployment yaml and chart default emit-allow-admission-events and emit-deny-admission-events to false [ v ] Update Makefile to enable emit-allow-admission-events and updated emit-admission-events to emit-deny-admission-events [ v ] Update docs with a new AllowedAdmission reason

Which issue this PR fixes: This is functionality I want as someone deploying GK with Helm. This helps me monitor the admissions and validate my policies in a similar manner to how OPA decision-logs work.

Special notes for your reviewer: The idea for the PR derived from https://github.com/open-policy-agent/gatekeeper/pull/739 and plenty of issues asking about decision logs (such as #1037 ) Sample event outputs for reason AllowedAdmission

kubectl get event -n gatekeeper-system  
                                                                                                                              
LAST SEEN   TYPE      REASON              OBJECT                                   MESSAGE
7m41s         Normal   AllowedAdmission   pod/privileged-nginx   Admission webhook "validation.gatekeeper.sh" allowed request, Resource Namespace: default

DorB-P avatar Jul 02 '24 15:07 DorB-P