feat: adding driver to export to disk

[JaydipGabani]

What this PR does / why we need it: Adding driver to export violation on disk.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes ##1037

Special notes for your reviewer:

[JaydipGabani]

Working on docs still.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 64.25532% with 84 lines in your changes missing coverage. Please review.

Project coverage is 48.04%. Comparing base (3350319) to head (f5d9bdc).
Report is 334 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/export/disk/disk.go	71.90%	39 Missing and 20 partials ⚠️
pkg/audit/manager.go	0.00%	22 Missing ⚠️
pkg/export/util/util.go	0.00%	2 Missing ⚠️
pkg/controller/export/export_config_controller.go	0.00%	1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (f5d9bdc). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (3350319)	HEAD (f5d9bdc)
unittests	2	1

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3832      +/-   ##
==========================================
- Coverage   54.49%   48.04%   -6.46%     
==========================================
  Files         134      236     +102     
  Lines       12329    20124    +7795     
==========================================
+ Hits         6719     9669    +2950     
- Misses       5116     9544    +4428     
- Partials      494      911     +417     

Flag	Coverage Δ
unittests	48.04% <64.25%> (-6.46%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[JaydipGabani]

Should this be an error or log?

[JaydipGabani]

This can lead to memory consumption if by any chance driver returns unique error for all violations instead of returning one. Instead, we can modify returned error type to ExportError and use error type as keys to limit the number of errors we are storing in map. Do folks think this is a way to go about limiting the number of errors stored? I am open to other suggestions.

I will make the change if we agree to use ExportError because that may need updating interface.

[sozercan]

agreed, your suggestion make sense. if we want to avoid interface changes, another idea might be to extract error category by checking with regex or before : for example

[JaydipGabani]

Parsing the error message and using the string before : as key to store errors.

[Copilot]

PR Overview

This PR adds a new disk export driver for persisting audit violations to the file system and updates related configuration, tests, and documentation.

• Introduces a new disk driver under pkg/export/disk.
• Adds GitHub workflow and test configuration to exercise the disk export.
• Updates documentation to guide users through configuring and using the disk export driver.

Reviewed Changes

File	Description
.github/workflows/disk-export.yaml	Workflow definition to run disk export tests
test/export/fake-reader/.yaml,.go	Test configuration and a fake-reader to simulate exports
website/docs/export.md	Documentation updates for the disk export driver
pkg/export/disk/disk.go	New disk export driver implementation
pkg/export/util/util.go	Utility types updated for export messages
pkg/audit/manager.go	Audit manager updates to integrate disk export; error map
pkg/export/system.go	Updated export system to include the disk driver

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

pkg/export/disk/disk.go:69

• The variable 'err' is never updated in CreateConnection; consider returning 'nil' explicitly to avoid confusion.

return err

pkg/audit/manager.go:263

• [nitpick] Consider defining and using constants for the audit trigger messages ("audit is started" and "audit is completed") to avoid typos and ensure consistency across the codebase.

am.exportSystem.Publish(context.Background(), *auditConnection, *auditChannel, exportutil.ExportMsg{Message: "audit is started", ID: timestamp})

[nreisch]

Why float?

[JaydipGabani]

Because the inherent value is stored in float64 when the object is getting unpacked, so checking and converting to int64 does not work here.

[sozercan]

Suggested change

	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

[sozercan]

nit: merge these

[sozercan]

let's add it here instead of using an arg, and dependabot can bump it. please make sure its covered in dependabot config

[sozercan]

same here

[sozercan]

can we use a const for these to avoid issues?

[sozercan]

same here

[sozercan]

const these?

[sozercan]

same here

[sozercan]

do we want to add this to helm chart with conditional?

[JaydipGabani]

I found it to be more complecated to add a whole sidecar container and its config because unlike adding dapr annotation which adds a container with specification required for dapr sidecar to run. A sidecar reader for purposes beyond just reading and logging would require specific customizations. We can add it but the chart will get more complicated and I do not see the value since we might not be able to make it completly customizable.

[JaydipGabani]

Updated to add helm variables for volume, volumeMount and sidecar as well.

[sozercan]

same for these?

[JaydipGabani]

same as above comment.

[sozercan]

i am confused, isn't this going to add the sidecar to audit automatically? instructions in the prereqs are saying to do this manually

[JaydipGabani]

Made it more clear a bit.

[sozercan]

this might be okay on the website, but copy pasting this have some formatting issues

[JaydipGabani]

yeah this is happening due to indentation. I tested copying from website and I am not seeing any formatting issues.

[sozercan]

I am seeing this \u003, not sure if this is something on my side

2025/03/24 04:25:27 {"id":"2025-03-24T04:24:27Z","details":{},"eventType":"violation_audited","group":"constraints.gatekeeper.sh","version":"v1beta1","kind":"K8sAllowedRepos","name":"repo-is-mcr","message":"container \u003ccoredns\u003e has an invalid image repo \u003cregistry.k8s.io/coredns/coredns:v1.11.3\u003e, allowed repos are [\"quay.io/\"]","enforcementAction":"dryrun","resourceAPIVersion":"v1","resourceKind":"Pod","resourceNamespace":"kube-system","resourceName":"coredns-668d6bf9bc-57xm9","resourceLabels":{"k8s-app":"kube-dns","pod-template-hash":"668d6bf9bc"}}

[JaydipGabani]

Hmm, I have not run into similar issues. How are you testing this?

[sozercan]

using the instructions here on a kind cluster. might be on my side, unless @ritazh can repro too

[sozercan]

agreed, your suggestion make sense. if we want to avoid interface changes, another idea might be to extract error category by checking with regex or before : for example

[sozercan]

LGTM with a few more suggestions

[sozercan]

indent issue i think?

[JaydipGabani]

+1, fixed it.

[sozercan]

using the instructions here on a kind cluster. might be on my side, unless @ritazh can repro too

[sozercan]

is this missing something?

[JaydipGabani]

Fixed the log statement,

[nreisch]

Readers might want to truncate and remove files after processing, but this seems to only grant write if the sidecar container runs as the same user id of the main container. But sidecars might need to run as root or other users. How can we support if sidecar needs to run as root, should we handle this in the permissions?

[JaydipGabani]

Fixed the permissions issue by setting file and dir permissions to allow reader to modify the same if needed.

[ritazh]

remove this ...

[JaydipGabani]

Removed it

[ritazh]

instead of having users do this, can this image be published as one of the Gatekeeper images? built/released/tagged like other GK images.

[ritazh]

To clarify, I'm suggesting to add this as part of the makefile and publish it to the registry so we can use it as a default value in the values.yaml. this is to ensure users have an easy way to test things. they can always replace with their own image.

[JaydipGabani]

Published fake-reader image on ghcr - https://github.com/open-policy-agent/gatekeeper/pkgs/container/fake-reader. This should improve experience trying out this feature with defaults for the first time.

[ritazh]

this can be part of the makefile like docker-buildx-crds

[ritazh]

can this be deployed as part of the chart but conditional on a field in values.yaml? e.g. audit.enableExportToDisk

[ritazh]

same, can this be part of the chart but conditionally install only if the feature is enabled.

[JaydipGabani]

Added this to helm charts.

[ritazh]

this should still be logged in the audit pod log

[JaydipGabani]

This was removed to prevent flood of logs with the same error for each violation in favor of only logging unique errors - https://github.com/open-policy-agent/gatekeeper/pull/3832/files#diff-2a233457fc5c89cf0dd91c044d7582aa1cc0c835feabf4638882ac54ba3ca63aR286.

[sozercan]

lgtm

[ritazh]

please double check these GitHub action versions to ensure they are the latest

[ritazh]

where is the code that pushes ghcr.io/open-policy-agent/fake-reader

[JaydipGabani]

For now I have pushed them manually before building a CI for that.

[ritazh]

As a follow up, please add this to CI. I can see maybe it could have CVEs in the future that we may need to patch.

[JaydipGabani]

+1 This should be added for all sample images as follow up.

[ritazh]

Please check this is the latest

[ritazh]

same

[ritazh]

should we move this step after user has updated their values yaml?

[JaydipGabani]

I am not sure, in quickstart steps user doesnt need to create values.yaml to try it out. So the yaml of variables in values is just a guide and not a requirement for users to try this. By that flow I think this is fine 🤔

[ritazh]

We shouldnt encourage users to use the fake-reader container image in production. IMO we should move this up and then add a warning to replace fake-reader for any production use since its just for demo purpose. WDYT?

[JaydipGabani]

Oh yeah from that point of view moving it down makes sense. I am updating docs.

[JaydipGabani]

Updated docs to move up default values before installing Gk with added warning about production use.

[ritazh]

since this is the default value, should this be removed assuming users have updated their values.yaml or add a comment here to --set audit.exportSidecar.image to override the default?

[JaydipGabani]

+1, removed these values.

[Copilot]

Pull Request Overview

This PR introduces a new disk driver for exporting audit violations to disk and integrates it into the existing export system. Key changes include:

• A new disk driver implementation (pkg/export/disk/disk.go) with connection, publishing, and file handling logic.
• Integration of the disk driver into the supported drivers map and updates to export configuration and audit manager.
• Updates to Helm charts and documentation to support configuration of the disk export backend.

Reviewed Changes

Copilot reviewed 20 out of 26 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pkg/export/util/util.go	Added export message and error types used by both drivers and audit manager.
pkg/export/system.go	Included the disk driver into the SupportedDrivers map.
pkg/export/disk/disk.go	New implementation of the disk driver with file and connection management.
pkg/controller/export/export_config_controller.go	Updated to lower-case the driver value for consistency.
pkg/audit/manager.go	Propagated export error mapping and adjusted audit response handling.
manifest_staging/charts/gatekeeper/*.yaml and README.md	Updated configuration values and documentation for the disk export backend.
cmd/build/helmify/*	Adjusted templating to support the export disk configuration.
.github/workflows/*.yaml	Added CI jobs to run tests for the disk export functionality.
.github/dependabot.yml	Added updates for docker package ecosystems related to export testing.

Files not reviewed (6)

• Makefile: Language not supported
• cmd/build/helmify/static/templates/gatekeeper-audit-violation-export-config.yaml: Language not supported
• cmd/build/helmify/static/values.yaml: Language not supported
• test/bats/helpers.bash: Language not supported
• test/bats/test.bats: Language not supported
• test/export/fake-reader/Dockerfile: Language not supported

Comments suppressed due to low confidence (1)

pkg/export/disk/disk.go:160

• There is a stray backtick in the error message format string; remove it to correctly format the error message.

if err := os.MkdirAll(dir, 0o777); err != nil { return fmt.Errorf("failed to create directories:` %w", err) }

[ritazh]

Remove ` before %w

[ritazh]

this will prob get bumped by dependabot to use the latest and to avoid CVEs. hence my question that maybe we would need to publish these in the future like all other GK images.

[JaydipGabani]

+1. I will raise a PR as follow up.

[ritazh]

LGTM