Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add disallow interactive tty constraint #305

Merged
merged 27 commits into from
Dec 6, 2023
Merged

Add disallow interactive tty constraint #305

merged 27 commits into from
Dec 6, 2023

Conversation

tspearconquest
Copy link
Contributor

What this PR does / why we need it:
Adds a constraint to disallow deployment of pods with containers where the fields related to interactive sessions, such as stdin, and tty, are set to true

Special notes for your reviewer:

@tspearconquest tspearconquest mentioned this pull request Mar 20, 2023
Closed
@tspearconquest
Copy link
Contributor Author

I've tested this in my cluster. Gitlab runners use tty: true, and with a constraint applied against this template, the gitlab runner job pods are rejected by Gatekeeper. :)

maxsmythe
maxsmythe approved these changes Apr 6, 2023
View reviewed changes
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the contribution!

Not sure if the artifact hub generation stuff is supposed to happen later.

@maxsmythe
Copy link
Contributor

It looks like this command needs to be run: Please run 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs

@tspearconquest
Copy link
Contributor Author

Thanks, yes I am doing this now.

@tspearconquest
Copy link
Contributor Author

Done, and pushed.

@tspearconquest
Copy link
Contributor Author

Checking on the new failures...

ritazh
ritazh reviewed Apr 7, 2023
View reviewed changes
library/general/horizontalpodautoscaler/template.yaml Outdated
@@ -4,7 +4,7 @@ metadata:
name: k8shorizontalpodautoscaler
annotations:
metadata.gatekeeper.sh/title: "Horizontal Pod Autoscaler"
metadata.gatekeeper.sh/version: 1.0.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you mean to make these changes for this policy?

@tspearconquest
Copy link
Contributor Author

tspearconquest commented Apr 7, 2023 via email
edited
Loading

@ritazh
Copy link
Member

ritazh commented Apr 7, 2023

@tspearconquest the change bumps the patch version. might be good to revert it for now since the horizontalpodautoscaler policy is not in the right place. xref #314

Thomas Spear and others added 11 commits April 6, 2023 21:19
Add a disallow interactive TTY constraint
4fb9e23 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Add source for disallow interactive
f0dd4cd 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@sozercan
ci: remove skip for storage class (open-policy-agent#300)
c8728c9 
* remove skip for storage class

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

* revert timestamp

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

---------

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@sozercan
fix: disallowed repos sample test name (open-policy-agent#301)
3e52793 
* fix: disallowed repos sample test name

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

* fix tests

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>

---------

Signed-off-by: Sertac Ozercan <sozercan@gmail.com>
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@ctrought @sozercan @maxsmythe
feat: add HorizontalPodAutoscaler policy (open-policy-agent#235)
05408fb 
* feat: add HorizontalPodAutoscaler policy

Signed-off-by: Craig Trought <k8s@trought.ca>

* chore: add metadata for artifacts

Signed-off-by: Craig Trought <k8s@trought.ca>

* chore: generate artifacts

Signed-off-by: Craig Trought <k8s@trought.ca>

* fix: remove sample constraint

Signed-off-by: Craig Trought <k8s@trought.ca>

* core: add requiresSyncData metadata

Signed-off-by: Craig Trought <k8s@trought.ca>

* add hpa policy to kustomize

Signed-off-by: Craig Trought <k8s@trought.ca>

---------

Signed-off-by: Craig Trought <k8s@trought.ca>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Co-authored-by: Max Smythe <smythe@google.com>
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@apeabody
fix: remove hardcoded kind from replicalimits msg (open-policy-agent#309
52fe3c3 
)

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Run 'make generate generate-website-docs generate-artifacthub-artifacts'
651c7c4 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Run 'make generate generate-website-docs generate-artifacthub-artifac…
c4a2a40 
…ts' again

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Revert "Run 'make generate generate-website-docs generate-artifacthub…
3085f8d 
…-artifacts' again"

This reverts commit 673a63a.

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Revert "Run 'make generate generate-website-docs generate-artifacthub…
5d0c896 
…-artifacts'"

This reverts commit 54b069c.

Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Run 'make generate generate-website-docs generate-artifacthub-artifacts'
0547a50 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@tspearconquest tspearconquest force-pushed the add_disallow_interactive_tty_constraint branch from 5cb4eae to 0547a50 Compare April 7, 2023 02:19
Thomas Spear and others added 2 commits April 7, 2023 01:47
@ritazh
Copy link
Member

ritazh commented Apr 13, 2023

@nilekhc can you pls help take a look at all the CI failures to make sure they are failing correctly? e.g. panic: looks like template.yaml is updated but the version is not. Please update the 'metadata.gatekeeper.sh/version' annotation in the template.yaml source and if so, what needs to be fixed?

@JaydipGabani
Copy link
Contributor

@tspearconquest can you try deleting artifact-hub/library/general/disallowinteractive dir from your local and then run make generate generate-website-docs generate-artifacthub-artifacts? it should solve ci error.

Thomas Spear and others added 4 commits April 27, 2023 16:41
Fix CI
c7b3e61 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
Merge branch 'add_disallow_interactive_tty_constraint' of github.com:…
489dc08 
…tspearconquest/gatekeeper-library into add_disallow_interactive_tty_constraint
@tspearconquest
Merge branch 'open-policy-agent:master' into add_disallow_interactive…
0d62cc4 
…_tty_constraint
@apeabody
Merge branch 'master' into add_disallow_interactive_tty_constraint
9f2d113
@nilekhc nilekhc mentioned this pull request May 4, 2023
Closed
@nilekhc
Copy link
Contributor

nilekhc commented May 4, 2023

@nilekhc can you pls help take a look at all the CI failures to make sure they are failing correctly? e.g. panic: looks like template.yaml is updated but the version is not. Please update the 'metadata.gatekeeper.sh/version' annotation in the template.yaml source and if so, what needs to be fixed?

Thanks for reporting this @ritazh! I have opened #339 to fix it.

@apeabody
Copy link
Contributor

Hi @tspearconquest - #339 has been merged, can you please try a fresh 'make generate generate-website-docs generate-artifacthub-artifacts' to generate the templates and docs. Cheers!

@tspearconquest
Copy link
Contributor Author

Hello, apologies for my delay, as I was on leave for the last 2 weeks. I am doing it now.

Run make generate generate-website-docs generate-artifacthub-artifacts
6962979 
Signed-off-by: Thomas Spear <tspear@conquestcyber.com>
@tspearconquest
Copy link
Contributor Author

Ok, it's pushed and it looks like tests have passed. Please take a look. Thanks again!

@maxsmythe
Copy link
Contributor

@ritazh LGTY?

@stale
Copy link

stale bot commented Sep 19, 2023

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 19, 2023
@tspearconquest
Copy link
Contributor Author

Any update on this?

@stale stale bot removed the stale label Sep 19, 2023
@stale Stale
Copy link

stale bot commented Nov 25, 2023

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 25, 2023
@tspearconquest
Copy link
Contributor Author

Not stale...

/help

@stale stale bot removed the stale label Nov 27, 2023
@apeabody apeabody requested a review from a team as a code owner November 27, 2023 16:40
@nilekhc nilekhc merged commit 2d99845 into open-policy-agent:master Dec 6, 2023
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ritazh ritazh ritazh left review comments

@maxsmythe maxsmythe maxsmythe approved these changes

@nilekhc nilekhc nilekhc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@tspearconquest @maxsmythe @ritazh @JaydipGabani @nilekhc @apeabody @sozercan @ctrought