Merge branch 'master' into gator-sync-support

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# These owners are the maintainers and approvers of this repo
+*       @open-policy-agent/gatekeeper-maintainers

.github/workflows/release-pr.yaml

@@ -83,3 +83,4 @@ jobs:
           title: "chore: Prepare ${{ env.NEWVERSION }} release"
           branch: "release-${{ env.NEWVERSION }}"
           base: "${{ env.TARGET_BRANCH }}"
+          signoff: true

.github/workflows/scan-vulns.yaml

@@ -0,0 +1,74 @@
+name: scan_vulns
+on:
+  push:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+  pull_request:
+    paths-ignore:
+      - ".github/workflows/website.yaml"
+      - "docs/**"
+      - "library/**"
+      - "demo/**"
+      - "deprecated/**"
+      - "example/**"
+      - "website/**"
+      - "**.md"
+      - "!cmd/build/helmify/static/README.md"
+
+permissions: read-all
+
+jobs:
+  govulncheck:
+    name: "Run govulncheck"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - uses: golang/govulncheck-action@7da72f730e37eeaad891fcff0a532d27ed737cd4 # v1.0.1
+
+  scan_vulnerabilities:
+    name: "[Trivy] Scan for vulnerabilities"
+    runs-on: ubuntu-22.04
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Download trivy
+        run: |
+          pushd $(mktemp -d)
+          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
+          echo "$(pwd)" >> $GITHUB_PATH
+        env:
+          TRIVY_VERSION: "0.46.0"
+
+      - name: Run trivy on git repository
+        run: |
+          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
+
+      - name: Build docker images
+        run: |
+          make docker-buildx \
+            IMG=gatekeeper-e2e:latest
+
+          make docker-buildx-crds \
+            CRD_IMG=gatekeeper-crds:latest
+
+      - name: Run trivy on images
+        run: |
+          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
+              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
+          done

.github/workflows/workflow.yaml

@@ -307,43 +307,3 @@ jobs:
         name: generatorexpansion-logs
         path: |
           logs-*.json
-
-  scan_vulnerabilities:
-    name: "[Trivy] Scan for vulnerabilities"
-    runs-on: ubuntu-22.04
-    timeout-minutes: 15
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
-        with:
-          egress-policy: audit
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
-
-      - name: Download trivy
-        run: |
-          pushd $(mktemp -d)
-          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.41.0"
-
-      - name: Run trivy on git repository
-        run: |
-          trivy fs --format table --ignore-unfixed --skip-dirs website --scanners vuln .
-
-      - name: Build docker images
-        run: |
-          make docker-buildx \
-            IMG=gatekeeper-e2e:latest
-
-          make docker-buildx-crds \
-            CRD_IMG=gatekeeper-crds:latest
-
-      - name: Run trivy on images
-        run: |
-          for img in "gatekeeper-e2e:latest" "gatekeeper-crds:latest"; do
-              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
-          done

cmd/build/helmify/static/values.yaml

@@ -210,6 +210,8 @@ controllerManager:
       #       cidr: 0.0.0.0/0
 audit:
   enablePubsub: false
+  connection: audit-connection
+  channel: audit-channel
   hostNetwork: false
   dnsPolicy: ClusterFirst
   metricsPort: 8888

config/crd/kustomization.yaml

@@ -50,6 +50,12 @@ patchesJson6902:
     kind: CustomResourceDefinition
     name: assignimage.mutations.gatekeeper.sh
   path: patches/max_name_size.yaml
+- target:
+    group: apiextensions.k8s.io
+    version: v1
+    kind: CustomResourceDefinition
+    name: expansiontemplate.expansion.gatekeeper.sh
+  path: patches/max_name_size.yaml
 
 patchesStrategicMerge:
 #- patches/max_name_size_for_modifyset.yaml

crd.Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.28.2 as builder
+FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.28.3 as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/google/uuid v1.3.1
 	github.com/onsi/gomega v1.27.10
 	github.com/open-policy-agent/cert-controller v0.8.0
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20231019180654-3eb381ce6cbe
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.16.0
 	github.com/spf13/cobra v1.7.0

go.sum

@@ -967,8 +967,8 @@ github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/open-policy-agent/cert-controller v0.8.0 h1:pao3WCLsKGz5dSWSlNUFrNFQdXtVTQ3lVDgk2IelH34=
 github.com/open-policy-agent/cert-controller v0.8.0/go.mod h1:alotCQRwX4M6VEwEgO53FB6nGLSlvah6L0pWxSRslIk=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20231019180654-3eb381ce6cbe h1:wQ2MKaTgPt74u7Ya5pQ0MU+Ako2vkdivi7UVy9kjYAg=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20231019180654-3eb381ce6cbe/go.mod h1:AaCd/gbQ31R7btHO450Kdp18/Zmvn7hjEt7Qbp+MfJM=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575 h1:rhln22JjTgsJGL8gDK4qEM372Ei1PPQk4ZTIOKM9WvY=
+github.com/open-policy-agent/frameworks/constraint v0.0.0-20231030230613-2e0cb3d68575/go.mod h1:AaCd/gbQ31R7btHO450Kdp18/Zmvn7hjEt7Qbp+MfJM=
 github.com/open-policy-agent/opa v0.57.1 h1:LAa4Z0UkpjV94nRLy6XCvgOacQ6N1jf8TJLMUIzFRqc=
 github.com/open-policy-agent/opa v0.57.1/go.mod h1:YYcVsWcdOW47owR0zElx8HPYZK60vL0MOPsEmh13us4=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=

manifest_staging/charts/gatekeeper/crds/expansiontemplate-customresourcedefinition.yaml

@@ -28,6 +28,10 @@ spec:
             description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
             type: object
           spec:
             description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.

manifest_staging/charts/gatekeeper/values.yaml

@@ -210,6 +210,8 @@ controllerManager:
       #       cidr: 0.0.0.0/0
 audit:
   enablePubsub: false
+  connection: audit-connection
+  channel: audit-channel
   hostNetwork: false
   dnsPolicy: ClusterFirst
   metricsPort: 8888

manifest_staging/deploy/gatekeeper.yaml

@@ -2311,6 +2311,10 @@ spec:
             description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
             type: string
           metadata:
+            properties:
+              name:
+                maxLength: 63
+                type: string
             type: object
           spec:
             description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.

pkg/audit/manager.go

@@ -66,8 +66,8 @@ var (
 	auditEventsInvolvedNamespace = flag.Bool("audit-events-involved-namespace", false, "emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will still follow the default behavior")
 	auditMatchKindOnly           = flag.Bool("audit-match-kind-only", false, "only use kinds specified in all constraints for auditing cluster resources. if kind is not specified in any of the constraints, it will audit all resources (same as setting this flag to false)")
 	apiCacheDir                  = flag.String("api-cache-dir", defaultAPICacheDir, "The directory where audit from api server cache are stored, defaults to /tmp/audit")
-	auditConnection              = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages")
-	auditChannel                 = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages")
+	auditConnection              = flag.String("audit-connection", defaultConnection, "Connection name for publishing audit violation messages. Defaults to audit-connection")
+	auditChannel                 = flag.String("audit-channel", defaultChannel, "Channel name for publishing audit violation messages. Defaults to audit-channel")
 	emptyAuditResults            []updateListEntry
 	logStatsAudit                = flag.Bool("log-stats-audit", false, "(alpha) log stats metrics for the audit run")
 )
@@ -508,6 +508,17 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 			ns = nil
 		}
 
+		excluded, err := am.skipExcludedNamespace(&obj)
+		if err != nil {
+			am.log.Error(err, "Unable to exclude object namespace for audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
+			continue
+		}
+
+		if excluded {
+			am.log.V(logging.DebugLevel).Info("excluding object from audit from cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName())
+			continue
+		}
+
 		au := &target.AugmentedUnstructured{
 			Object:    obj,
 			Namespace: ns,

pkg/audit/manager_test.go

@@ -1,17 +1,115 @@
 package audit
 
 import (
+	"context"
 	"os"
 	"reflect"
 	"testing"
 
+	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
+	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
+	configv1alpha1 "github.com/open-policy-agent/gatekeeper/v3/apis/config/v1alpha1"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/config/process"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/fakes"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/wildcard"
 	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
+func Test_auditFromCache(t *testing.T) {
+	podToReview := fakes.Pod(fakes.WithNamespace("test-namespace-1"))
+	podGVK := podToReview.GroupVersionKind()
+	testAuditCache := fakeCacheListerFor([]schema.GroupVersionKind{podGVK}, []client.Object{podToReview})
+
+	driver, err := rego.New()
+	require.NoError(t, err)
+	client, err := constraintclient.NewClient(constraintclient.Targets(&target.K8sValidationTarget{}), constraintclient.Driver(driver))
+	require.NoError(t, err)
+
+	_, err = client.AddTemplate(context.Background(), fakes.DenyAllRegoTemplate())
+	require.NoError(t, err, "adding denyall constraint template")
+	_, err = client.AddConstraint(context.Background(), fakes.DenyAllConstraint())
+	require.NoError(t, err, "adding denyall constraint")
+
+	tests := []struct {
+		name            string
+		processExcluder *process.Excluder
+		wantViolation   bool
+	}{
+		{
+			name:            "obj excluded from audit",
+			processExcluder: processExcluderFor([]string{"test-namespace-1"}),
+		},
+		{
+			name:            "obj not excluded from audit",
+			processExcluder: processExcluderFor([]string{}),
+			wantViolation:   true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			am := &Manager{
+				processExcluder: tc.processExcluder,
+				auditCache:      testAuditCache,
+				opa:             client,
+			}
+
+			results, errs := am.auditFromCache(context.Background())
+			require.Len(t, errs, 0)
+
+			if tc.wantViolation {
+				require.Len(t, results, 1)
+			} else {
+				require.Len(t, results, 0)
+			}
+		})
+	}
+}
+
+func fakeCacheListerFor(gvks []schema.GroupVersionKind, objsToList []client.Object) *CacheLister {
+	k8sclient := fake.NewClientBuilder().WithObjects(objsToList...).Build()
+	fakeLister := fakeWatchIterator{gvksToList: gvks}
+
+	return NewAuditCacheLister(k8sclient, &fakeLister)
+}
+
+type fakeWatchIterator struct {
+	gvksToList []schema.GroupVersionKind
+}
+
+func (f *fakeWatchIterator) DoForEach(listFunc func(gvk schema.GroupVersionKind) error) error {
+	for _, gvk := range f.gvksToList {
+		if err := listFunc(gvk); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func processExcluderFor(ns []string) *process.Excluder {
+	processExcluder := process.New()
+	for _, n := range ns {
+		processExcluder.Add([]configv1alpha1.MatchEntry{
+			{
+				ExcludedNamespaces: []wildcard.Wildcard{wildcard.Wildcard(n)},
+				Processes:          []string{"audit"},
+			},
+		})
+	}
+
+	return processExcluder
+}
+
 func Test_newNSCache(t *testing.T) {
 	tests := []struct {
 		name string