From 82cbb1064e8d3d7db66cb14b3fe5b9522fdb4790 Mon Sep 17 00:00:00 2001 From: Luis Silva Date: Wed, 22 Jan 2025 12:29:04 +0000 Subject: [PATCH 1/2] feat(helm): support admission control failurePolicy configuration --- .../internal/config-shape.yaml | 1 + .../internal/defaults/30-base-config.yaml.htpl | 1 + .../templates/admission-controller.yaml | 4 ++-- .../values-public.yaml.example | 4 ++++ .../helmtest/admission-control.test.yaml | 18 ++++++++++++++++++ 5 files changed, 26 insertions(+), 2 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml b/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml index 6b0584d46143b..94cac66b8d49f 100644 --- a/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml +++ b/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml @@ -113,6 +113,7 @@ admissionControl: hostAliases: null # [dict] priorityClassName: null # string namespaceSelector: null # dict + failurePolicy: null # string collector: forceCollectionMethod: null # bool collectionMethod: null # string diff --git a/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl index 0b6a876c3ebb7..3abd5b6d169ad 100644 --- a/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl @@ -76,6 +76,7 @@ admissionControl: timeout: 10 enforceOnUpdates: false replicas: 3 + failurePolicy: Ignore affinity: nodeAffinity: diff --git a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml index 16193f6e13edc..cbf3b7cbfc118 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml +++ b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml @@ -235,7 +235,7 @@ webhooks: - kube-public - istio-system {{- end }} - failurePolicy: Ignore + failurePolicy: {{ ._rox.admissionControl.failurePolicy }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: @@ -261,7 +261,7 @@ webhooks: - pods - pods/exec - pods/portforward - failurePolicy: Ignore + failurePolicy: {{ ._rox.admissionControl.failurePolicy }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: diff --git a/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example b/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example index b7336cf713ac4..4bd2a16398065 100644 --- a/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example +++ b/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example @@ -307,6 +307,10 @@ # cert: null # key: null # +# # Failure Policy from the admission configuration +# # Available values: Ignore|Fail +# failurePolicy: Ignore +# ## Collector specific configuration. #collector: # diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml index 8924b27fa47e3..5090503d3c8ed 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml @@ -161,3 +161,21 @@ tests: - istio-system expect: | .validatingwebhookconfigurations[].webhooks[].namespaceSelector.matchExpressions | assertThat(length == 2) + +- name: "Admission Controller Failure Policy" + tests: + - name: "default failure policy ignore" + values: + admissionControl: + listenOnCreates: true + listenOnEvents: false + expect: | + .validatingwebhookconfigurations[].webhooks[].failurePolicy | assertThat(. == "Ignore") + - name: "override failurePolicy to fail" + values: + admissionControl: + listenOnCreates: true + listenOnEvents: false + failurePolicy: "Fail" + expect: | + .validatingwebhookconfigurations[].webhooks[].failurePolicy | assertThat(. == "Fail") From 81f27fc24d1ff50c5d2c0b09edd7dff12386daad Mon Sep 17 00:00:00 2001 From: Vlad Bologa Date: Thu, 23 Jan 2025 09:58:47 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Moritz Clasmeier <111092021+mclasmeier@users.noreply.github.com> --- .../templates/admission-controller.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml index cbf3b7cbfc118..42f55507da652 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml +++ b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml @@ -235,7 +235,7 @@ webhooks: - kube-public - istio-system {{- end }} - failurePolicy: {{ ._rox.admissionControl.failurePolicy }} + failurePolicy: {{ ._rox.admissionControl.failurePolicy | quote }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: @@ -261,7 +261,7 @@ webhooks: - pods - pods/exec - pods/portforward - failurePolicy: {{ ._rox.admissionControl.failurePolicy }} + failurePolicy: {{ ._rox.admissionControl.failurePolicy | quote }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: