From 4e777bb57f29200326935488b58e2a24c1078197 Mon Sep 17 00:00:00 2001 From: 7navyasa <140163168+7navyasa@users.noreply.github.com> Date: Sat, 29 Jun 2024 02:07:21 +1000 Subject: [PATCH] Gatekeeper upgrade (#208) * management policies addition * management policies removal from K8-provider * load balancer controller addition * updating policy to access global and local index * Update dynamodb-write.yaml license * upgrade deprecated api * PR review fix --- .../samples/sample-table-eu-west-2-pass.yaml | 28 ++++++++---------- .../samples/sample-table-us-east-1-fail.yaml | 29 ++++++++----------- .../required-tags/samples/constraint.yaml | 4 +-- .../samples/dummy-table-missing-tag-fail.yaml | 28 ++++++++---------- .../samples/dummy-table-no-tags-fail.yaml | 27 ++++++++--------- .../samples/finance-table-pass.yaml | 28 ++++++++---------- .../gatekeeper/required-tags/template.yaml | 19 ++++-------- 7 files changed, 67 insertions(+), 96 deletions(-) diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml index 6ce5d65b..f9050537 100644 --- a/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml +++ b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml @@ -1,23 +1,19 @@ -apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +apiVersion: dynamodb.aws.upbound.io/v1beta1 kind: Table metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/globaltable name: sample-table spec: - deletionPolicy: Delete + providerConfigRef: + name: aws-provider-config forProvider: + attribute: + - name: myAttribute + type: S + hashKey: myAttribute + readCapacity: 1 + writeCapacity: 1 region: eu-west-2 - attributeDefinitions: - - attributeName: id - attributeType: S - keySchema: - - attributeName: id - keyType: HASH - billingMode: PROVISIONED - provisionedThroughput: - readCapacityUnits: 1 - writeCapacityUnits: 1 tags: - - key: "owner" - value: "finance" - providerConfigRef: - name: aws-provider-config \ No newline at end of file + owner: finance \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml index 211eb5a4..3628a6fb 100644 --- a/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml +++ b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml @@ -1,24 +1,19 @@ -apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +apiVersion: dynamodb.aws.upbound.io/v1beta1 kind: Table metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/globaltable name: failing-table spec: - deletionPolicy: Delete + providerConfigRef: + name: aws-provider-config forProvider: + attribute: + - name: myAttribute + type: S + hashKey: myAttribute + readCapacity: 1 + writeCapacity: 1 region: us-east-1 - attributeDefinitions: - - attributeName: id - attributeType: S - keySchema: - - attributeName: id - keyType: HASH - billingMode: PROVISIONED - provisionedThroughput: - readCapacityUnits: 1 - writeCapacityUnits: 1 tags: - - key: "owner" - value: "finance" - - providerConfigRef: - name: aws-provider-config \ No newline at end of file + owner: finance \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/constraint.yaml b/examples/gatekeeper/required-tags/samples/constraint.yaml index 228bc4f6..59df4952 100644 --- a/examples/gatekeeper/required-tags/samples/constraint.yaml +++ b/examples/gatekeeper/required-tags/samples/constraint.yaml @@ -5,7 +5,7 @@ metadata: spec: match: kinds: - - apiGroups: ["*"] - kinds: ["*"] + - apiGroups: ["dynamodb.aws.upbound.io"] + kinds: ["Table"] parameters: tags: ["owner"] \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml index 683f3c01..ee1505ad 100644 --- a/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml +++ b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml @@ -1,23 +1,19 @@ -apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +apiVersion: dynamodb.aws.upbound.io/v1beta1 kind: Table metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/globaltable name: dummy-table spec: - deletionPolicy: Delete + providerConfigRef: + name: aws-provider-config forProvider: + attribute: + - name: myAttribute + type: S + hashKey: myAttribute + readCapacity: 1 + writeCapacity: 1 region: eu-west-2 - attributeDefinitions: - - attributeName: id - attributeType: S - keySchema: - - attributeName: id - keyType: HASH - billingMode: PROVISIONED - provisionedThroughput: - readCapacityUnits: 1 - writeCapacityUnits: 1 tags: - - key: "aaa" - value: "finance" - providerConfigRef: - name: aws-provider-config \ No newline at end of file + aaa: finance diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml index ecbc4a64..bfaa9e79 100644 --- a/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml +++ b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml @@ -1,20 +1,17 @@ -apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +apiVersion: dynamodb.aws.upbound.io/v1beta1 kind: Table metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/globaltable name: dummy-table spec: - deletionPolicy: Delete - forProvider: - region: eu-west-2 - attributeDefinitions: - - attributeName: id - attributeType: S - keySchema: - - attributeName: id - keyType: HASH - billingMode: PROVISIONED - provisionedThroughput: - readCapacityUnits: 1 - writeCapacityUnits: 1 providerConfigRef: - name: aws-provider-config \ No newline at end of file + name: aws-provider-config + forProvider: + attribute: + - name: myAttribute + type: S + hashKey: myAttribute + readCapacity: 1 + writeCapacity: 1 + region: eu-west-2 \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml index 29e4c5da..56ed7741 100644 --- a/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml +++ b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml @@ -1,23 +1,19 @@ -apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +apiVersion: dynamodb.aws.upbound.io/v1beta1 kind: Table metadata: + annotations: + meta.upbound.io/example-id: dynamodb/v1beta1/globaltable name: finance-table spec: - deletionPolicy: Delete + providerConfigRef: + name: aws-provider-config forProvider: + attribute: + - name: myAttribute + type: S + hashKey: myAttribute + readCapacity: 1 + writeCapacity: 1 region: eu-west-2 - attributeDefinitions: - - attributeName: id - attributeType: S - keySchema: - - attributeName: id - keyType: HASH - billingMode: PROVISIONED - provisionedThroughput: - readCapacityUnits: 1 - writeCapacityUnits: 1 tags: - - key: "owner" - value: "finance" - providerConfigRef: - name: aws-provider-config \ No newline at end of file + owner: finance \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/template.yaml b/examples/gatekeeper/required-tags/template.yaml index b48bee7e..30a5a77f 100644 --- a/examples/gatekeeper/required-tags/template.yaml +++ b/examples/gatekeeper/required-tags/template.yaml @@ -8,7 +8,6 @@ spec: names: kind: AwsRequiredTags validation: - # Schema for the `parameters` field openAPIV3Schema: type: object properties: @@ -20,19 +19,11 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | package awsrequiredtags - import future.keywords.every violation[{"msg": msg}] { - endswith(input.review.kind.group, "aws.crossplane.io") - not startswith(input.review.kind.kind, "ProviderConfig") - not input.review.object.spec.forProvider.tags - msg := sprintf("Attempting to provision a resource without tags, the following tags are required '%v'", [input.parameters.tags]) - } - - violation[{"msg": msg}] { - some requested_tag in input.parameters.tags - every i in input.review.object.spec.forProvider.tags { - requested_tag != i.key - } - msg := sprintf("Attempting to provision a resource with the following tags '%v', one or more of the required tags '%v' is missing", [input.review.object.spec.forProvider.tags, input.parameters.tags]) + input.review.kind.group == "dynamodb.aws.upbound.io" + some i + required_tag := input.parameters.tags[i] + not input.review.object.spec.forProvider.tags[required_tag] + msg := sprintf("Attempting to provision a resource without the required tag '%v'", [required_tag]) } \ No newline at end of file