Skip to content

Commit a696953

Browse files
nreischJaydipGabani
nreisch
and
JaydipGabani
authored
fix: disk export path to handle dir deletes (#4021)
Signed-off-by: Noah Reisch <noahreisch4@gmail.com> Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com> Co-authored-by: Jaydip Gabani <gabanijaydip@gmail.com>
1 parent f32d56e commit a696953

File tree

13 files changed

+33
-23
lines changed

13 files changed

+33
-23
lines changed

.github/workflows/disk-export.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,9 @@ jobs:
4040
make docker-buildx-crds CRD_IMG=gatekeeper-crds:latest
4141
kind load docker-image --name kind gatekeeper-e2e:latest fake-reader:latest gatekeeper-crds:latest
4242
kubectl create ns gatekeeper-system
43-
44-
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG EXPORT_BACKEND=disk FAKE_READER_IMAGE_PULL_POLICY=Never AUDIT_CONNECTION=audit-connection AUDIT_CHANNEL=audit-channel EXPORT_DISK_PATH=/tmp/violations MAX_AUDIT_RESULTS=3 FAKE_READER_IMAGE=fake-reader:latest
45-
43+
44+
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG EXPORT_BACKEND=disk FAKE_READER_IMAGE_PULL_POLICY=Never AUDIT_CONNECTION=audit-connection AUDIT_CHANNEL=audit-channel EXPORT_DISK_MOUNT=/tmp/violations EXPORT_DISK_PATH=/tmp/violations/topics MAX_AUDIT_RESULTS=3 FAKE_READER_IMAGE=fake-reader:latest
45+
4646
make test-e2e ENABLE_EXPORT_TESTS=1 EXPORT_BACKEND=disk
4747
4848
- name: Save logs

Makefile

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,9 @@ HELM_DAPR_EXPORT_ARGS := --set-string auditPodAnnotations.dapr\\.io/enabled=true
4141
--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
4242
--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \
4343

44-
HELM_DISK_EXPORT_ARGS := --set audit.exportVolumeMount.path=${EXPORT_DISK_PATH} \
45-
--set audit.exportConfig.maxAuditResults=${MAX_AUDIT_RESULTS} \
44+
HELM_DISK_EXPORT_ARGS := --set audit.exportVolumeMount.path=${EXPORT_DISK_MOUNT} \
45+
--set audit.exportConnection.path=${EXPORT_DISK_PATH} \
46+
--set audit.exportConnection.maxAuditResults=${MAX_AUDIT_RESULTS} \
4647
--set audit.exportSidecar.image=${FAKE_READER_IMAGE} \
4748
--set audit.exportSidecar.imagePullPolicy=${FAKE_READER_IMAGE_PULL_POLICY} \
4849

cmd/build/helmify/static/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,8 @@ information._
236236
| audit.exportVolume | (alpha) Volume for audit pod to export violations. | `{"name":"tmp-violations","emptyDir":{}}` |
237237
| audit.exportVolumeMount.path | (alpha) VolumeMount for audit pod manager container to export violations and sidecar container to read from. | `/tmp/violations` |
238238
| audit.exportSidecar | (alpha) Sidecar container to read violations from disk. | `{"name":"reader","image":"ghcr.io/open-policy-agent/fake-reader:latest","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/tmp/violations","name":"tmp-violations"}]}` |
239-
| audit.exportConfig.maxAuditResults | (alpha) Maximum number of audit results that can be stored in the export path. | 3 |
239+
| audit.exportConnection.path | (alpha) Path for audit pod manager container to export violations and sidecar container to read from. Must be a child of volume mount path so the parent is writable. | `/tmp/violations/topics` |
240+
| audit.exportConnection.maxAuditResults | (alpha) Maximum number of audit results that can be stored in the export path. | 3 |
240241
| exportBackend | (alpha) Backend to use for exporting violations, i.e. dapr, disk. | "" |
241242
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
242243
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |

cmd/build/helmify/static/templates/gatekeeper-audit-violation-export-connection.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,6 @@ metadata:
88
spec:
99
driver: '{{ .Values.exportBackend }}'
1010
config:
11-
path: "{{ .Values.audit.exportVolumeMount.path }}"
12-
maxAuditResults: {{ .Values.audit.exportConfig.maxAuditResults }}
11+
path: "{{ .Values.audit.exportConnection.path }}"
12+
maxAuditResults: {{ .Values.audit.exportConnection.maxAuditResults }}
1313
{{- end }}

cmd/build/helmify/static/values.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,8 @@ controllerManager:
233233
disableGenerateOperation: true
234234
exportBackend: ""
235235
audit:
236-
exportConfig:
236+
exportConnection:
237+
path: /tmp/violations/topics
237238
maxAuditResults: 3
238239
exportVolumeMount:
239240
path: /tmp/violations

config/samples/connection_v1alpha1_connection.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,5 @@ metadata:
66
spec:
77
driver: "disk"
88
config:
9-
path: "/tmp/violations"
9+
path: "/tmp/violations/topics"
1010
maxAuditResults: 3

manifest_staging/charts/gatekeeper/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,8 @@ information._
236236
| audit.exportVolume | (alpha) Volume for audit pod to export violations. | `{"name":"tmp-violations","emptyDir":{}}` |
237237
| audit.exportVolumeMount.path | (alpha) VolumeMount for audit pod manager container to export violations and sidecar container to read from. | `/tmp/violations` |
238238
| audit.exportSidecar | (alpha) Sidecar container to read violations from disk. | `{"name":"reader","image":"ghcr.io/open-policy-agent/fake-reader:latest","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/tmp/violations","name":"tmp-violations"}]}` |
239-
| audit.exportConfig.maxAuditResults | (alpha) Maximum number of audit results that can be stored in the export path. | 3 |
239+
| audit.exportConnection.path | (alpha) Path for audit pod manager container to export violations and sidecar container to read from. Must be a child of volume mount path so the parent is writable. | `/tmp/violations/topics` |
240+
| audit.exportConnection.maxAuditResults | (alpha) Maximum number of audit results that can be stored in the export path. | 3 |
240241
| exportBackend | (alpha) Backend to use for exporting violations, i.e. dapr, disk. | "" |
241242
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
242243
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |

manifest_staging/charts/gatekeeper/templates/gatekeeper-audit-violation-export-connection.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,6 @@ metadata:
88
spec:
99
driver: '{{ .Values.exportBackend }}'
1010
config:
11-
path: "{{ .Values.audit.exportVolumeMount.path }}"
12-
maxAuditResults: {{ .Values.audit.exportConfig.maxAuditResults }}
11+
path: "{{ .Values.audit.exportConnection.path }}"
12+
maxAuditResults: {{ .Values.audit.exportConnection.maxAuditResults }}
1313
{{- end }}

manifest_staging/charts/gatekeeper/values.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,8 @@ controllerManager:
233233
disableGenerateOperation: true
234234
exportBackend: ""
235235
audit:
236-
exportConfig:
236+
exportConnection:
237+
path: /tmp/violations/topics
237238
maxAuditResults: 3
238239
exportVolumeMount:
239240
path: /tmp/violations

pkg/controller/export/export_connection_controller.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -156,6 +156,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
156156
if deleted {
157157
err := r.system.CloseConnection(request.Name)
158158
if err != nil {
159+
log.Error(err, "failed to close connection", "name", request.Name)
159160
return reconcile.Result{Requeue: true}, deleteStatus(ctx, r.writer, request.Namespace, request.Name, r.getPod)
160161
}
161162
log.Info("removed connection", "name", request.Name)
@@ -172,6 +173,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, request reconcile.Request) (
172173

173174
err = r.system.UpsertConnection(ctx, connObj.Spec.Config.Value, request.Name, connObj.Spec.Driver)
174175
if err != nil {
176+
log.Error(err, "failed to upsert connection", "name", request.Name)
175177
// Reset the active connection status to false if UpsertConnection fails
176178
activeConnection := false
177179
return reconcile.Result{Requeue: true}, updateOrCreateConnectionPodStatus(ctx, r.reader, r.writer, r.scheme, connObj, []*statusv1alpha1.ConnectionError{{Type: statusv1alpha1.UpsertConnectionError, Message: err.Error()}}, &activeConnection, r.getPod)

0 commit comments

Comments
 (0)