Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: scope of webhook configurations #3676

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

fix: scope of webhook configurations #3676

wants to merge 12 commits into from

Conversation

plavy
Copy link

@plavy plavy commented Oct 30, 2024

What this PR does / why we need it:
As described in the issue, scope of the webhooks is not set, defaulting to unrestricted scope. namespaceSelector is therefore not fully enforced.

Which issue(s) this PR fixes:
Fixes #3675

@plavy plavy requested a review from a team as a code owner October 30, 2024 19:50
JaydipGabani
JaydipGabani requested changes Nov 5, 2024
View reviewed changes
plavy and others added 2 commits November 6, 2024 09:59
@codecov-commenter
Copy link

codecov-commenter commented Nov 7, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.74%. Comparing base (3350319) to head (fca52d5).
Report is 271 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (fca52d5). Click for more details.

HEAD has 1 upload less than BASE
Flag BASE (3350319) HEAD (fca52d5)
unittests 2 1
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3676      +/-   ##
==========================================
- Coverage   54.49%   47.74%   -6.76%     
==========================================
  Files         134      234     +100     
  Lines       12329    19858    +7529     
==========================================
+ Hits         6719     9481    +2762     
- Misses       5116     9487    +4371     
- Partials      494      890     +396
Flag Coverage Δ
unittests 47.74% <ø> (-6.76%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

JaydipGabani
JaydipGabani approved these changes Nov 7, 2024
View reviewed changes
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

sozercan
sozercan approved these changes Nov 13, 2024
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JaydipGabani
Copy link
Contributor

@maxsmythe PTAL.

@stale Stale
Copy link

stale bot commented Mar 4, 2025

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Mar 4, 2025
@JaydipGabani
Copy link
Contributor

@plavy is there still interest for this PR?

@stale stale bot removed the stale label Mar 4, 2025
@plavy
Copy link
Author

plavy commented Mar 6, 2025

@JaydipGabani The MR got two approvals, so I am not sure where the problem is.

JaydipGabani
JaydipGabani reviewed Mar 8, 2025
View reviewed changes
Copy link
Contributor

@JaydipGabani JaydipGabani left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@plavy apologies for the delay. Please add newly added variables to https://github.com/open-policy-agent/gatekeeper/blob/master/cmd/build/helmify/static/README.md. Really close on closing this.

@ritazh ritazh added this to the v3.19.0 milestone Mar 18, 2025
@plavy
Copy link
Author

plavy commented Mar 21, 2025

@JaydipGabani I've implemented all the scopes and added entries to README.

JaydipGabani
JaydipGabani requested changes Mar 21, 2025
View reviewed changes
cmd/build/helmify/static/README.md
@@ -144,9 +144,11 @@ information._
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookMatchConditions | The match conditions written in CEL to further refine which resources will be selected by the webhook. All match conditions must evaluate to true for the webhook to be called | `[]` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookCheckIgnoreScope | The scope for the check-ignore-label validating webhook | `*` |
Copy link
Contributor

@JaydipGabani JaydipGabani Mar 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Appologies on going back and forth on this, but allowing users to set the scope for this might not be a good idea. Since the scope of the check-ignore-label validating webhook should not be set to Namespaced, as this scope applies only to rules for Namespace resources. Setting it to Namespaced will prevent the rejection of invalid Namespaces with the admission.gatekeeper.sh/ignore label. Namespaces with this label, along with all resources within them, are exempt from Gatekeeper validation. We should revert this back to remove the variable.

@JaydipGabani JaydipGabani mentioned this pull request Mar 26, 2025
Open
@JaydipGabani
Copy link
Contributor

@plavy PTAL.

Moving this to 3.20 for now since I do think there is more in this PR that needs to happen to address the original concerns.

In order to make the webhooks complaint we can modify the scope of check-ignore-label to Cluster which should work since it only cares about Namespaces. However modifying other scopes to Namespaced or Cluster might results in policies not being enforced for all resources. The answer here might be to get exception. Regardless I think this PR is still relevant to allow ability to set scope for the users who arent concerned with validating/mutating "ALL" resources.

@JaydipGabani JaydipGabani modified the milestones: v3.19.0, v3.20.0 Mar 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaydipGabani JaydipGabani JaydipGabani requested changes

@sozercan sozercan sozercan approved these changes

@ritazh ritazh ritazh approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
waiting on author
Projects
None yet
Milestone
v3.20.0
Development

Successfully merging this pull request may close these issues.

namespaceSelector of the webhooks doesn't have effect since scope is not defined
6 participants
@plavy @codecov-commenter @JaydipGabani @sozercan @ritazh @tinplavec