Skip to content

feat: adding driver to export to disk #3832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 39 commits into from
May 6, 2025
Merged

feat: adding driver to export to disk #3832

Show file tree
Hide file tree
Changes from 34 commits
Commits
Show all changes
39 commits
Select commit Hold shift + click to select a range
a64a5f1
adding driver to export to disk
JaydipGabani Mar 1, 2025
6178055
fixing lint
JaydipGabani Mar 1, 2025
eeac8e8
fixing disk export workflow name
JaydipGabani Mar 1, 2025
83169e5
fixing disk export tests
JaydipGabani Mar 2, 2025
758396a
fixing disk-export test
JaydipGabani Mar 2, 2025
c73ed2b
fixing disk-export test
JaydipGabani Mar 2, 2025
1f1c1ea
fixing disk-export test
JaydipGabani Mar 2, 2025
f0b06fe
adding docs for disk driver
JaydipGabani Mar 5, 2025
9ddd781
cleaning up disk driver
JaydipGabani Mar 14, 2025
08f0a70
adding reader dockerfile to dependabot config
JaydipGabani Mar 17, 2025
e4bf31e
updating dockerfile for fake-reader
JaydipGabani Mar 18, 2025
2a52f44
addressing feedback and cleaning up code
JaydipGabani Mar 24, 2025
4750879
fixing lint
JaydipGabani Mar 25, 2025
b56f99d
fixing error msg
JaydipGabani Mar 25, 2025
ab3412f
splitting via error type to make sure types of errors stored are dete…
JaydipGabani Mar 25, 2025
5754afe
updating docs
JaydipGabani Mar 25, 2025
185eb5b
updating docs
JaydipGabani Mar 25, 2025
80409b9
adding sidecar to helmcharts
JaydipGabani Mar 25, 2025
087da56
updating logs and fixing indent error
JaydipGabani Mar 25, 2025
319b942
fixing audit helm charts to include volumes and sidecar
JaydipGabani Mar 25, 2025
2460997
updating docs, addressing nites
JaydipGabani Mar 26, 2025
5926e7a
putting audit start/end message export behind export flag
JaydipGabani Mar 26, 2025
da118f5
adding connection config for disk export to helm charts
JaydipGabani Mar 26, 2025
1f1cd52
cleaning up disk driver and fixing permission issue
JaydipGabani Apr 2, 2025
601095b
fixing tests
JaydipGabani Apr 2, 2025
e4402e7
updating docs, adding default sidecar values in charts
JaydipGabani Apr 2, 2025
567ec39
updating tests
JaydipGabani Apr 3, 2025
4812780
fixing tests
JaydipGabani Apr 3, 2025
2aae258
fixing export test ci
JaydipGabani Apr 3, 2025
3041793
updating docs to use published fake-reader image
JaydipGabani Apr 3, 2025
d367c32
Merge branch 'master' into disk-driver
JaydipGabani Apr 5, 2025
02a6fc1
Merge branch 'master' into disk-driver
JaydipGabani Apr 21, 2025
6e58ee2
Merge branch 'master' into disk-driver
JaydipGabani Apr 25, 2025
19ffcd6
updating actions to latest versions, updating docs
JaydipGabani Apr 25, 2025
ad3c19d
addressing feedbacks
JaydipGabani Apr 28, 2025
86059e9
Merge branch 'master' into disk-driver
JaydipGabani Apr 28, 2025
ab3d310
updating docs
JaydipGabani May 5, 2025
584c249
Merge branch 'master' into disk-driver
JaydipGabani May 5, 2025
f5d9bdc
Merge branch 'master' into disk-driver
ritazh May 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,17 @@ updates:
interval: "weekly"
commit-message:
prefix: "chore"

- package-ecosystem: "docker"
directory: "/test/export/fake-subscriber"
schedule:
interval: "weekly"
commit-message:
prefix: "chore"

- package-ecosystem: "docker"
directory: "/test/export/fake-reader"
schedule:
interval: "weekly"
commit-message:
prefix: "chore"
4 changes: 2 additions & 2 deletions .github/workflows/dapr-export.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ jobs:
kind load docker-image --name kind gatekeeper-e2e:latest gatekeeper-crds:latest
kubectl create ns gatekeeper-system
make e2e-publisher-deploy
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG
make test-e2e ENABLE_EXPORT_TESTS=1
make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG AUDIT_CHANNEL=audit-channel EXPORT_BACKEND=dapr
make test-e2e ENABLE_EXPORT_TESTS=1 EXPORT_BACKEND=dapr

- name: Save logs
if: ${{ always() }}
Expand Down
61 changes: 61 additions & 0 deletions .github/workflows/disk-export.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: disk-export
on:
push:
paths:
- "pkg/export/dapr"
- "pkg/export/disk"
- "test/export/**"
pull_request:
paths:
- "pkg/export/dapr"
- "pkg/export/disk"
- "test/export/**"
permissions: read-all

jobs:
disk_test:
name: "Disk export test"
runs-on: ubuntu-22.04
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
with:
egress-policy: audit

- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Bootstrap e2e
run: |
mkdir -p $GITHUB_WORKSPACE/bin
echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
make e2e-bootstrap

- name: Run e2e
run: |
make docker-buildx IMG=gatekeeper-e2e:latest
make e2e-build-load-externaldata-image
make e2e-reader-build-image
make docker-buildx-crds CRD_IMG=gatekeeper-crds:latest
kind load docker-image --name kind gatekeeper-e2e:latest fake-reader:latest gatekeeper-crds:latest
kubectl create ns gatekeeper-system

make e2e-helm-deploy HELM_REPO=gatekeeper-e2e HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest ENABLE_EXPORT=true LOG_LEVEL=DEBUG EXPORT_BACKEND=disk FAKE_READER_IMAGE_PULL_POLICY=Never AUDIT_CONNECTION=audit-connection AUDIT_CHANNEL=audit-channel EXPORT_DISK_PATH=/tmp/violations MAX_AUDIT_RESULTS=3 FAKE_READER_IMAGE=fake-reader:latest

make test-e2e ENABLE_EXPORT_TESTS=1 EXPORT_BACKEND=disk

- name: Save logs
if: ${{ always() }}
run: |
kubectl logs -n gatekeeper-system -l control-plane=audit-controller -c manager --tail=-1 > logs-audit-manager.json
kubectl logs -n gatekeeper-system -l control-plane=audit-controller -c reader --tail=-1 > logs-audit-export.json

- name: Upload artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
if: ${{ always() }}
with:
name: export-logs
path: |
logs-*.json

125 changes: 68 additions & 57 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,38 @@ NODE_VERSION ?= 16-bullseye-slim
YQ_VERSION ?= 4.30.6

HELM_ARGS ?=
HELM_DAPR_EXPORT_ARGS := --set-string auditPodAnnotations.dapr\\.io/enabled=true \
--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \

HELM_DISK_EXPORT_ARGS := --set audit.exportVolumeMount.path=${EXPORT_DISK_PATH} \
--set audit.exportConfig.maxAuditResults=${MAX_AUDIT_RESULTS} \
--set audit.exportSidecar.image=${FAKE_READER_IMAGE} \
--set audit.exportSidecar.imagePullPolicy=${FAKE_READER_IMAGE_PULL_POLICY} \

HELM_EXPORT_ARGS := --set enableViolationExport=${ENABLE_EXPORT} \
--set audit.connection=${AUDIT_CONNECTION} \
--set audit.channel=${AUDIT_CHANNEL} \
--set exportBackend=${EXPORT_BACKEND} \

HELM_EXTRA_ARGS := --set image.repository=${HELM_REPO} \
--set image.crdRepository=${HELM_CRD_REPO} \
--set image.release=${HELM_RELEASE} \
--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
--set mutationAnnotations=true;\

GATEKEEPER_NAMESPACE ?= gatekeeper-system

# When updating this, make sure to update the corresponding action in
Expand All @@ -48,6 +80,8 @@ GOLANGCI_LINT_CACHE := $(shell pwd)/.tmp/golangci-lint

BENCHMARK_FILE_NAME ?= benchmarks.txt
FAKE_SUBSCRIBER_IMAGE ?= fake-subscriber:latest
FAKE_READER_IMAGE ?= fake-reader:latest
FAKE_READER_IMAGE_PULL_POLICY ?= IfNotPresent

ROOT_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
BIN_DIR := $(abspath $(ROOT_DIR)/bin)
Expand Down Expand Up @@ -106,6 +140,29 @@ MANAGER_IMAGE_PATCH := "apiVersion: apps/v1\
\n - --log-level=${LOG_LEVEL}\
\n"

HELM_EXPORT_VARIABLES := "audit:\
\n exportVolume:\
\n name: tmp-violations\
\n emptyDir: {}\
\n exportSidecar:\
\n name: go-sub\
\n image: ${FAKE_READER_IMAGE}\
\n imagePullPolicy: ${FAKE_READER_IMAGE_PULL_POLICY}\
\n securityContext:\
\n allowPrivilegeEscalation: false\
\n capabilities:\
\n drop:\
\n - ALL\
\n readOnlyRootFilesystem: true\
\n runAsGroup: 999\
\n runAsNonRoot: true\
\n runAsUser: 1000\
\n seccompProfile:\
\n type: RuntimeDefault\
\n volumeMounts:\
\n - mountPath: /tmp/violations\
\n name: tmp-violations"

# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
Expand Down Expand Up @@ -202,53 +259,20 @@ e2e-helm-install:
cd .staging/helm && tar -xvf helmbin.tar.gz
./.staging/helm/linux-amd64/helm version --client

e2e-helm-deploy: e2e-helm-install
e2e-helm-deploy: e2e-helm-install $(LOCALBIN)
ifeq ($(ENABLE_EXPORT),true)
./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
--namespace ${GATEKEEPER_NAMESPACE} \
--debug --wait \
--set image.repository=${HELM_REPO} \
--set image.crdRepository=${HELM_CRD_REPO} \
--set image.release=${HELM_RELEASE} \
--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set enableViolationExport=${ENABLE_EXPORT} \
--set audit.connection=${AUDIT_CONNECTION} \
--set audit.channel=${AUDIT_CHANNEL} \
--set-string auditPodAnnotations.dapr\\.io/enabled=true \
--set-string auditPodAnnotations.dapr\\.io/app-id=audit \
--set-string auditPodAnnotations.dapr\\.io/metrics-port=9999 \
--set logLevel=${LOG_LEVEL} \
--set mutationAnnotations=true;
$(HELM_EXPORT_ARGS) \
$(if $(filter disk,$(EXPORT_BACKEND)),$(HELM_DISK_EXPORT_ARGS)) \
$(if $(filter dapr,$(EXPORT_BACKEND)),$(HELM_DAPR_EXPORT_ARGS)) \
$(HELM_EXTRA_ARGS)
else
./.staging/helm/linux-amd64/helm install manifest_staging/charts/gatekeeper --name-template=gatekeeper \
--namespace ${GATEKEEPER_NAMESPACE} --create-namespace \
--debug --wait \
--set image.repository=${HELM_REPO} \
--set image.crdRepository=${HELM_CRD_REPO} \
--set image.release=${HELM_RELEASE} \
--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
--set mutationAnnotations=true;
$(HELM_EXTRA_ARGS)
endif

e2e-helm-upgrade-init: e2e-helm-install
Expand All @@ -273,23 +297,7 @@ e2e-helm-upgrade:
./.staging/helm/linux-amd64/helm upgrade gatekeeper manifest_staging/charts/gatekeeper \
--namespace ${GATEKEEPER_NAMESPACE} \
--debug --wait \
--set image.repository=${HELM_REPO} \
--set image.crdRepository=${HELM_CRD_REPO} \
--set image.release=${HELM_RELEASE} \
--set postInstall.labelNamespace.image.repository=${HELM_CRD_REPO} \
--set postInstall.labelNamespace.image.tag=${HELM_RELEASE} \
--set postInstall.labelNamespace.enabled=true \
--set postInstall.probeWebhook.enabled=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set admissionEventsInvolvedNamespace=true \
--set auditEventsInvolvedNamespace=true \
--set disabledBuiltins={http.send} \
--set logMutations=true \
--set logLevel=${LOG_LEVEL} \
--set defaultCreateVAPForTemplates=${GENERATE_VAP} \
--set defaultCreateVAPBindingForConstraints=${GENERATE_VAPBINDING} \
--set mutationAnnotations=true;\
$(HELM_EXTRA_ARGS)

e2e-subscriber-build-load-image:
docker buildx build --platform="linux/amd64" -t ${FAKE_SUBSCRIBER_IMAGE} --load -f test/export/fake-subscriber/Dockerfile test/export/fake-subscriber
Expand All @@ -302,7 +310,10 @@ e2e-subscriber-deploy:

e2e-publisher-deploy:
kubectl get secret redis --namespace=default -o yaml | sed 's/namespace: .*/namespace: gatekeeper-system/' | kubectl apply -f -
kubectl apply -f test/export/publish-components.yaml
kubectl apply -f test/export/fake-subscriber/manifest/publish-components.yaml

e2e-reader-build-image:
docker buildx build --platform="$(PLATFORM)" -t ${FAKE_READER_IMAGE} --load -f test/export/fake-reader/Dockerfile test/export/fake-reader

# Build manager binary
manager: generate
Expand Down
3 changes: 2 additions & 1 deletion cmd/build/helmify/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,8 @@ func (ks *kindSet) Write() error {
obj = "{{- if not .Values.disableAudit }}\n" + obj + "{{- end }}\n"
obj = strings.Replace(obj, " labels:", " labels:\n {{- include \"gatekeeper.podLabels\" . | nindent 8 }}\n {{- include \"audit.podLabels\" . | nindent 8 }}\n {{- include \"gatekeeper.commonLabels\" . | nindent 8 }}", 1)
obj = strings.Replace(obj, " priorityClassName: system-cluster-critical", " {{- if .Values.audit.priorityClassName }}\n priorityClassName: {{ .Values.audit.priorityClassName }}\n {{- end }}", 1)
obj = strings.Replace(obj, " - emptyDir: {}", " {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
obj = strings.Replace(obj, " name: tmp-volume", " name: tmp-volume\n {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - mountPath: {{ .Values.audit.exportVolumeMount.path }}\n name: {{ .Values.audit.exportVolume.name }}\n {{- end }}\n {{ if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - {{ toYaml .Values.audit.exportSidecar | nindent 8 }}\n {{- end }}", 1)
obj = strings.Replace(obj, " - emptyDir: {}", " {{- if and (.Values.enableViolationExport) (eq (.Values.exportBackend | default \"\" | lower) \"disk\") }}\n - {{- toYaml .Values.audit.exportVolume | nindent 8 }}\n {{- end }}\n {{- if .Values.audit.writeToRAMDisk }}\n - emptyDir:\n medium: Memory\n {{ else }}\n - emptyDir: {}\n {{- end }}", 1)
}

if name == "gatekeeper-manager-role" && kind == "Role" {
Expand Down
Loading
Loading