Merge pull request #138 from weaveworks/dev

release v2.2.0

.github/workflows/integration_test.yml

@@ -0,0 +1,43 @@
+name: integration
+
+on:
+  push:
+    branches: [ master, dev ]
+  pull_request:
+    branches: [ master, dev ]
+
+jobs:
+  integration:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        namespace: [policy-system, test-system]
+    steps:
+      - name: Checkout repo 
+        uses: actions/checkout@v3
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+      - name: Install kubectl
+        uses: azure/setup-kubectl@v3
+      - name: Install kind
+        uses: helm/kind-action@v1.3.0
+        with:
+          install_only: true
+      - name: setup go
+        uses: actions/setup-go@v3
+        with:
+          go-version: '1.17'
+          cache: true
+      - name: Run tests
+        env:
+          NAMESPACE: ${{ matrix.namespace }}
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        run: |
+          make build
+
+          export VERSION=$(cat ./version.txt)
+          docker build -t weaveworks/policy-agent:${VERSION} .
+
+          cd test/integration
+          bash deploy.sh
+          go test -v ./...

Makefile

@@ -73,7 +73,7 @@ vet: ## Run go vet against code.
 
 .PHONY: test
 test: manifests generate fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -v ./... -coverprofile cover.out
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -v ./internal/... ./controllers/... ./pkg/... -coverprofile cover.out
 
 ##@ Build
 

api/v2beta2/policy_types.go

@@ -129,6 +129,11 @@ type PolicySpec struct {
 	//+kubebuilder:validation:Enum=kubernetes;terraform
 	// Provider is policy provider, can be kubernetes, terraform
 	Provider string `json:"provider"`
+
+	//+optional
+	//+kubebuilder:default:=false
+	// Mutate is a flag that indicates whether to enable mutation of resources violating this policy or not
+	Mutate bool `json:"mutate"`
 }
 
 //+kubebuilder:object:root=true

config/crd/bases/pac.weave.works_policies.yaml

@@ -348,6 +348,11 @@ spec:
               id:
                 description: ID is the policy unique identifier
                 type: string
+              mutate:
+                default: false
+                description: Mutate is a flag that indicates whether to enable mutation
+                  of resources violating this policy or not
+                type: boolean
               name:
                 description: Name is the policy name
                 type: string

configuration/config.go

@@ -50,6 +50,7 @@ type AdmissionConfig struct {
 	Enabled bool
 	Webhook AdmissionWebhook
 	Sinks   SinksConfig
+	Mutate  bool
 }
 
 type AuditConfig struct {

docs/README.md

@@ -68,6 +68,20 @@ This contains the admission module that enforces policies. It uses the `controll
 
 > Works with policies of provider `kubernetes`
 
+#### Mutating Resources
+
+Starting from version `v2.2.0`, the policy agent will support mutating resources. To enable mutating resources set `mutate` flag to `true` in the `admission` configuration section.
+
+```yaml
+admission:
+   enabled: true
+   mutate: true # set this field to true to enable mutating resources
+   sinks:
+      filesystemSink:
+         fileName: admission.txt
+```
+
+> See [here](./policy.md#mutating-resources) how to make policies support mutating resources.
 
 ### Terraform Admission
 

docs/policy.md

@@ -18,3 +18,24 @@ Here is the Weaveworks [Policy Library](https://github.com/weaveworks/policy-lib
 It is used in [Multi Tenancy](https://docs.gitops.weave.works/docs/enterprise/multi-tenancy/) feature in [Weave GitOps Enterprise](https://docs.gitops.weave.works/docs/enterprise/intro/)
 
 Tenant policies has a special tag `tenancy`. 
+
+## Mutating Resources
+
+
+![](./mutation.png)
+
+Starting from version `v2.2.0`, the policy agent will support mutating resources.
+
+To enable mutating resources policies must have field `mutate` set to `true` and the rego code should return the `violating_key` and the `recommended_value` in the violation response. The mutation webhook will use the `violating_key` and `recommended_value` to mutate the resource and return the new mutated resource.
+
+Example 
+
+```
+result = {
+    "issue_detected": true,
+    "msg": sprintf("Replica count must be greater than or equal to '%v'; found '%v'.", [min_replica_count, replicas]),
+    "violating_key": "spec.replicas",
+    "recommended_value": min_replica_count
+}
+```
+

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/MagalixTechnologies/channel v1.1.0
 	github.com/MagalixTechnologies/core/logger v1.0.4
 	github.com/MagalixTechnologies/core/packet v1.0.1
-	github.com/MagalixTechnologies/policy-core v1.1.5
+	github.com/MagalixTechnologies/policy-core v1.1.6
 	github.com/MagalixTechnologies/uuid-go v0.0.0-20210127133914-f8f07f7ab96e
 	github.com/elastic/go-elasticsearch/v7 v7.17.1
 	github.com/fluxcd/pkg/runtime v0.13.1
@@ -25,47 +25,57 @@ require (
 	github.com/weaveworks/policy-agent/api v0.0.0
 	go.uber.org/zap v1.19.1
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	k8s.io/api v0.23.5
-	k8s.io/apiextensions-apiserver v0.23.4
-	k8s.io/apimachinery v0.23.5
-	k8s.io/client-go v0.23.4
-	sigs.k8s.io/controller-runtime v0.11.1
+	k8s.io/api v0.24.0
+	k8s.io/apiextensions-apiserver v0.24.0
+	k8s.io/apimachinery v0.24.0
+	k8s.io/client-go v0.24.0
+	sigs.k8s.io/controller-runtime v0.12.0
 )
 
 require (
 	github.com/MagalixTechnologies/opa-core v1.0.12 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/agnivade/levenshtein v1.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful v2.9.5+incompatible // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-logr/zapr v1.2.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.5 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.2.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/open-policy-agent/opa v0.42.2 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -92,19 +102,20 @@ require (
 	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.23.4 // indirect
-	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	k8s.io/component-base v0.24.0 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661 // indirect
+	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.10 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )