From f70f9e9333acb2f098b82b4fb45601ff71854ab3 Mon Sep 17 00:00:00 2001 From: davis-haba Date: Thu, 26 Jan 2023 11:49:59 -0800 Subject: [PATCH 1/3] Add --operation=mutation-controller flag Signed-off-by: davis-haba --- .../mutators/core/reconciler_test.go | 14 ++++----- pkg/mutation/mutation.go | 2 +- pkg/operations/operations.go | 29 ++++++------------- pkg/operations/operations_test.go | 2 +- website/docs/operations.md | 23 +++++++++++++++ 5 files changed, 41 insertions(+), 29 deletions(-) diff --git a/pkg/controller/mutators/core/reconciler_test.go b/pkg/controller/mutators/core/reconciler_test.go index f2752bd054b..5fa387ddfdc 100644 --- a/pkg/controller/mutators/core/reconciler_test.go +++ b/pkg/controller/mutators/core/reconciler_test.go @@ -402,7 +402,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: true, Errors: nil, }, @@ -434,7 +434,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: true, Errors: nil, }, @@ -494,7 +494,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: false, Errors: []statusv1beta1.MutatorError{{Message: newErrSome(1).Error()}}, }, @@ -535,7 +535,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: false, Errors: []statusv1beta1.MutatorError{ { @@ -634,7 +634,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: false, Errors: []statusv1beta1.MutatorError{ { @@ -685,7 +685,7 @@ func TestReconciler_Reconcile(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: true, Errors: nil, }, @@ -940,7 +940,7 @@ func TestReconciler_Reconcile_DeletePodStatus(t *testing.T) { }, Status: statusv1beta1.MutatorPodStatusStatus{ ID: "no-pod", - Operations: []string{"audit", "mutation-status", "mutation-webhook", "status", "webhook"}, + Operations: []string{"audit", "mutation-controller", "mutation-status", "mutation-webhook", "status", "webhook"}, Enforced: true, }, } diff --git a/pkg/mutation/mutation.go b/pkg/mutation/mutation.go index f2997c1594a..3c08fec82dd 100644 --- a/pkg/mutation/mutation.go +++ b/pkg/mutation/mutation.go @@ -34,5 +34,5 @@ func init() { // Enabled indicates if the mutation feature is enabled. func Enabled() bool { - return operations.IsAssigned(operations.MutationStatus) || operations.IsAssigned(operations.MutationWebhook) + return operations.IsAssigned(operations.MutationStatus) || operations.IsAssigned(operations.MutationWebhook) || operations.IsAssigned(operations.MutationController) } diff --git a/pkg/operations/operations.go b/pkg/operations/operations.go index 1de48cf9cb6..ccc0976f94a 100644 --- a/pkg/operations/operations.go +++ b/pkg/operations/operations.go @@ -15,22 +15,23 @@ type Operation string // All defined Operations. const ( - Audit = Operation("audit") - Status = Operation("status") - MutationStatus = Operation("mutation-status") - MutationWebhook = Operation("mutation-webhook") - Webhook = Operation("webhook") + Audit = Operation("audit") + Status = Operation("status") + MutationController = Operation("mutation-controller") + MutationStatus = Operation("mutation-status") + MutationWebhook = Operation("mutation-webhook") + Webhook = Operation("webhook") ) var ( // allOperations is a list of all possible Operations that can be assigned to - // a pod. It is NOT intended to be mutated. It should be kept in alphabetical - // order so that it can be readily compared to the results from AssignedOperations. + // a pod. It is NOT intended to be mutated. allOperations = []Operation{ Audit, - Status, + MutationController, MutationStatus, MutationWebhook, + Status, Webhook, } @@ -85,18 +86,6 @@ func init() { flag.Var(operations, "operation", "The operation to be performed by this instance. e.g. audit, webhook. This flag can be declared more than once. Omitting will default to supporting all operations.") } -// AssignedOperations returns a map of operations assigned to the pod. -func AssignedOperations() map[Operation]bool { - ret := make(map[Operation]bool) - operationsMtx.RLock() - defer operationsMtx.RUnlock() - - for k, v := range operations.assignedOperations { - ret[k] = v - } - return ret -} - // IsAssigned returns true when the provided operation is assigned to the pod. func IsAssigned(op Operation) bool { operationsMtx.RLock() diff --git a/pkg/operations/operations_test.go b/pkg/operations/operations_test.go index 07da739ae9e..1865a6c630e 100644 --- a/pkg/operations/operations_test.go +++ b/pkg/operations/operations_test.go @@ -15,7 +15,7 @@ func Test_Flags(t *testing.T) { }{ "default": { input: []string{}, - expected: map[Operation]bool{Audit: true, Webhook: true, Status: true, MutationStatus: true, MutationWebhook: true}, + expected: map[Operation]bool{Audit: true, Webhook: true, Status: true, MutationStatus: true, MutationWebhook: true, MutationController: true}, }, "multiple": { input: []string{"-operation", "audit", "-operation", "webhook"}, diff --git a/website/docs/operations.md b/website/docs/operations.md index e1de876daf6..71007a8b517 100644 --- a/website/docs/operations.md +++ b/website/docs/operations.md @@ -153,6 +153,29 @@ At a high level, this requires: * The ability to write to all objects in the group `mutations.gatekeeper.sh` (mutators) * The ability to read `MutatorPodStatus` objects in Gatekeeper's namespace +## Mutation Controller + +__--operation key:__ `mutation-controller` + +This operation runs the process responsible for ingesting and registering +mutators. `mutation-controller` is run implicitly with the `mutation-webhook` +and `mutation-status` operations, and is redundant if any of the 2 +aforementioned operations are already specified. + +If the `webhook` operation is used in isolation without the `mutation-webhook` +or `mutation-status` operations, then the `mutation-controller` operation is +required for mutation to work with [workload expansion](workload-resources.md). + +### Required Behaviors: + +At a high level, this requires: + +* Ingesting Mutator objects + +### Permissions Required + +* The ability to read all objects in the group `mutations.gatekeeper.sh` (mutators) + # A Note on Permissions "Create" implies the `create` and `delete` permissions in addition to the permissions implied by "Read" and "Write". From 2dc7d7144d43312dc71cca21af24586cf1379a05 Mon Sep 17 00:00:00 2001 From: davis-haba Date: Thu, 26 Jan 2023 14:47:59 -0800 Subject: [PATCH 2/3] operations in sorted order Signed-off-by: davis-haba --- pkg/operations/operations.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/operations/operations.go b/pkg/operations/operations.go index ccc0976f94a..d51496d2c50 100644 --- a/pkg/operations/operations.go +++ b/pkg/operations/operations.go @@ -16,10 +16,10 @@ type Operation string // All defined Operations. const ( Audit = Operation("audit") - Status = Operation("status") MutationController = Operation("mutation-controller") MutationStatus = Operation("mutation-status") MutationWebhook = Operation("mutation-webhook") + Status = Operation("status") Webhook = Operation("webhook") ) From 851b1a75412ff57c4973ed5fb4b9ce6131913a48 Mon Sep 17 00:00:00 2001 From: davis-haba Date: Mon, 30 Jan 2023 16:17:17 -0800 Subject: [PATCH 3/3] update mutation-controller op docs to indicate audit may also need the flag Signed-off-by: davis-haba --- website/docs/operations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/docs/operations.md b/website/docs/operations.md index 71007a8b517..7eea4e0fc5f 100644 --- a/website/docs/operations.md +++ b/website/docs/operations.md @@ -162,7 +162,7 @@ mutators. `mutation-controller` is run implicitly with the `mutation-webhook` and `mutation-status` operations, and is redundant if any of the 2 aforementioned operations are already specified. -If the `webhook` operation is used in isolation without the `mutation-webhook` +If the `webhook` or `audit` operation is used in isolation without the `mutation-webhook` or `mutation-status` operations, then the `mutation-controller` operation is required for mutation to work with [workload expansion](workload-resources.md).