profile
viewpoint
John Reese jpreese United States https://reese.dev Software Engineer @plexsystems

jpreese/advent-2019 1

problems from https://adventofcode.com/2019

jpreese/about 0

Sourcegraph blog, feature announcements, and website (about.sourcegraph.com)

jpreese/AbstractFactory 0

Design Patterns Project #1

jpreese/adr-docker 0

Dockerfile for ADR Tools

jpreese/afero 0

A FileSystem Abstraction System for Go

jpreese/alertmanager 0

Prometheus Alertmanager

jpreese/allReady 0

This repo contains the code for allReady, an open-source solution focused on increasing awareness, efficiency and impact of preparedness campaigns as they are delivered by humanitarian and disaster response organizations in local communities.

jpreese/angular 0

One framework. Mobile & desktop.

pull request commentplexsystems/konstraint

[DRAFT] Autogenerate configuration file based on data.inventory

@jalseth and I talked about this briefly offline, and I think we're of the opinion that it feels a bit early for this. While it'd be nice to generate the config off of the policies, and possible in a perfect scenario, it should not that difficult to manage the configuration outside of Konstraint.

I'd rather wait until the Gatekeeper team flushes out this behavior more rather than trying to keep up with their changes.

jpreese

comment created time in an hour

push eventplexsystems/konstraint

John Reese

commit sha 0f88c5b68800a5eeaa2b3a740092ea4690dcf66e

Let the dog out

view details

push time in 5 hours

delete branch plexsystems/konstraint

delete branch : lib-pass

delete time in 5 hours

delete branch plexsystems/konstraint

delete branch : library-refactor

delete time in 5 hours

PR opened plexsystems/konstraint

Let the dog out

Has not been much of a value add. Caused issues with #50. Probably better off just running native staticcheck et al when we decide to add an alternative in.

+0 -5

0 comment

1 changed file

pr created time in 5 hours

create barnchplexsystems/konstraint

branch : remove-dog

created branch time in 5 hours

push eventplexsystems/konstraint

James Alseth

commit sha e28f53f0a06e6098c9d249e0c39c716e44d0c74d

fix pod_deny_without_runasnonroot: only apply to pods (#50)

view details

push time in 5 hours

PR merged plexsystems/konstraint

fix pod_deny_without_runasnonroot: only apply to pods

During the changes made to lib.pods, pod_deny_without_runasnonroot was accidentally updated to apply to all resource types. This resolves that as well as a grammar fix.

+9 -7

2 comments

9 changed files

jalseth

pr closed time in 5 hours

PR opened plexsystems/konstraint

Update host alias policy to array

Noticed that the hostAliases check is currently set to true / false, but its data type is an array. While not a bug from a functionality perspective, using an array is more true to the expected type.

+32 -24

0 comment

5 changed files

pr created time in 5 hours

push eventplexsystems/konstraint

John Reese

commit sha 7c6b3d8bb0a46989fe23c1d5f0eb1d4c16a072fa

Update host alias policy

view details

push time in 5 hours

create barnchplexsystems/konstraint

branch : hostalias-policy

created branch time in 5 hours

push eventjpreese/combine-policies

John Reese

commit sha bfb1f713397a4a8e0dda55c2f7a0a1ced32b2914

Initial commit

view details

push time in 7 hours

create barnchjpreese/combine-policies

branch : master

created branch time in 7 hours

created repositoryjpreese/combine-policies

created time in 7 hours

issue commentopen-policy-agent/gatekeeper

Add a runbook link to constraints

That would be huge! If rendering the details makes sense to the Gatekeeper team, I'd be more than happy to open a PR.

snuggie12

comment created time in 8 hours

issue commentopen-policy-agent/conftest

Add an --admission option

@moshloop we are also actively working on a policy library to support both Conftest and Gatekeeper based policies here: https://github.com/plexsystems/konstraint/tree/main/examples/lib

Importing core and using core.resource in your policies will set the correct prefix.

moshloop

comment created time in 19 hours

issue closedopen-policy-agent/conftest

Document the automatic finding of deny/violation rules in Rego policies by conftest

Conftest automatically searches Rego policies for rules that follow the format of the denyQ regex and warnQ regex. We should have some documentation with examples of what rules work and get automatically picked up by conftest.

A markdown file in the docs folder can be added documenting this behaviour.

closed time in 19 hours

Blokje5

issue commentopen-policy-agent/conftest

Document the automatic finding of deny/violation rules in Rego policies by conftest

This naming convention is now leveraged for exceptions, which is quite documented. Marking as resolved!

Blokje5

comment created time in 19 hours

issue closedopen-policy-agent/conftest

Split command logic into a separate package

Right now most of the logic resides with the commands. E.g. with the Test command, most of the logic to fetch the related configuration files and query Rego policies is stored in functions in the commands package. However this approach has two downsides:

  1. Command Configuration & CLI interaction (e.g. viper calls) are intermixed with the actual logic of the command (querying Rego policies, fetching configuration files), making it hard to test and reuse the logic.
  2. Due to the commands being stored in internal/commands this logic can't be imported into other applications. This could be relevant if people want to write their own plugins.

Instead I would like to propose the following: we split the CLI interaction (which can remain in internal/commands) from the actual logic in the commands. The actual logic can reside in a seperate package e.g. runner or action. For each command we would have a "runner", essentially a struct that holds the required configuration options and has a Run method, e.g.:

type TestRunner struct {
  ConfigurationFiles []string
  PolicyDir []string

  // Other configuration options
}

func (t *TestRunner) Run(ctx context.Context) error {
  // Actual logic in here
}

This Run method would be called from within the commands. This approach has the following benefits:

  1. It is easier to create unit tests for the commands in go as you would not have to deal with flag binding and exit codes.
  2. The runners can be reused by people wanting to import that logic into their own go applications as we can expose it externally. This does mean we have to maintain the interface so we can start with moving the runners into an internal package until we feel comfortable having the interface exposed.

closed time in 19 hours

Blokje5

issue commentopen-policy-agent/conftest

Split command logic into a separate package

Resolved via #327. Thanks @Blokje5! :tada:

Blokje5

comment created time in 19 hours

push eventjpreese/conftest

John Reese

commit sha 448266fd090ee1e1b8a333715d6a72e3eda25bb7

Move configuration options to options doc Signed-off-by: John Reese <john@reese.dev>

view details

push time in 19 hours

PR opened open-policy-agent/conftest

Move configuration options to options doc

For #240

+16 -12

0 comment

2 changed files

pr created time in 19 hours

create barnchjpreese/conftest

branch : conftest-options

created branch time in 19 hours

issue closedopen-policy-agent/conftest

Expose internal/commands

Lifting the internal/ restriction on the commands pkg would allow for other cobra-based CLIs to embed conftest as sub commands.

closed time in 19 hours

nstogner

issue commentopen-policy-agent/conftest

Expose internal/commands

@nstogner @johnharris85 the majority of the packages for conftest are now exposed! Resolving.

nstogner

comment created time in 19 hours

pull request commentplexsystems/konstraint

fix pod_deny_without_runasnonroot: only apply to pods

Definitely looks like it. I'm down to just remove it. Hasn't provided much value anyway.

jalseth

comment created time in a day

issue commentplexsystems/sinker

[Feature] Support update manifest from List type

No problem! Hope it works out for you :)

sudermanjr

comment created time in a day

issue closedplexsystems/promdoc

Add support for specifying a directory or file

The generate command needs to be able to support a directory (or file) as input. Right now the generate command only looks at the current working directory.

$ promdoc generate # creates alerts.md in working directory
$ promdoc generate alerts # creates alerts.md in working directory, searching for alerts in the alerts folder

closed time in a day

jpreese

issue commentplexsystems/promdoc

Add support for specifying a directory or file

Resolved in v0.5.0

jpreese

comment created time in a day

push eventplexsystems/promdoc

John Reese

commit sha fa67c47d5089cb7fab22103460c3b31cd372dab0

Update documentation

view details

push time in a day

created tagplexsystems/promdoc

tagv0.5.0

Generate documentation from your Prometheus rules

created time in a day

push eventplexsystems/promdoc

John Reese

commit sha be0a98b3e35e6a081efbae96df9817779d622871

Prepare 0.5.0 release

view details

push time in a day

push eventplexsystems/promdoc

John Reese

commit sha c8620adcfcabe4d513d10432b112d43b009924ea

Add support for generating specified directory

view details

push time in a day

issue closedplexsystems/promdoc

Change output path to a flag

The current behavior is to pass in the output-dir as a parameter when calling the generate command. i.e.

promdoc generate <output-dir>

The output should be set as an --out flag.

  1. If --out is not is set, the default should be creating alerts.md in the current working directory.
  2. If --out is set, the file should be generated to the location specified.
    • NOTE: If out is a directory, the result should be creating alerts.md in that directory, otherwise the location as it appears.

closed time in 2 days

jpreese

issue commentplexsystems/promdoc

Change output path to a flag

Resolved via #8

jpreese

comment created time in 2 days

push eventplexsystems/promdoc

Roberto L. Taborda

commit sha 3f799f9b718395e0fa785c96053f542396b299b7

Change output-dir argument to --out flag (#8)

view details

push time in 2 days

PR merged plexsystems/promdoc

Change output-dir argument to --out flag

--out receives a file-path or file-name If not set by the user the flag has a default value of alerts.md If the flag is set to a directory path the ouput will be a file named alerts.md in that path paths to a directory should finish with "/" If the file is set to a file-name with no path, current working dir will be used

This pr addresses issue #7

+22 -14

1 comment

2 changed files

Zelinzky

pr closed time in 2 days

pull request commentplexsystems/promdoc

Change output-dir argument to --out flag

This looks great! Thanks @Zelinzky 🎉

Zelinzky

comment created time in 2 days

push eventplexsystems/konstraint

John Reese

commit sha 6018fcc0885660e7a6ecbe09b7c260296ed15315

Add supporting example

view details

push time in 2 days

PR opened plexsystems/konstraint

[DRAFT] Autogenerate configuration file based on data.inventory

@garethahealy

An initial proof of concept for #16 -- the config.yaml was automatically generated based on the src rego.

+269 -3

0 comment

11 changed files

pr created time in 2 days

create barnchplexsystems/konstraint

branch : autogen-configfile

created branch time in 2 days

issue openedplexsystems/konstraint

Better error message on missing library

When using the create command on a specific directory, and a rego policy in that directory depends on a library that is in a parent directory, the error states:

Error: get libraries: load files: walk path: lstat : no such file or directory

It took a moment to figure out what was going on--we should expand on this and say which library it could not find.

created time in 2 days

push eventplexsystems/konstraint

John Reese

commit sha cd97f7d0db4af02aa5ee6b2818f0a0108280d273

Reduce number of test files during create (#47)

view details

push time in 2 days

PR merged plexsystems/konstraint

Reduce number of test files during create

Just noticed now that we have a lot of examples, the original create test has caused quite a few test files to be generated. This sets it up such that only one file is needed for the test.

+51 -3078

0 comment

48 changed files

jpreese

pr closed time in 2 days

push eventplexsystems/konstraint

John Reese

commit sha e7686bfb728148ea7557488bc545a0638a9897d1

Condense container library (#46)

view details

John Reese

commit sha c7c9789273bb29fe18f670f6b385bb4298ac47ae

merge conflicts

view details

push time in 2 days

push eventplexsystems/konstraint

John Reese

commit sha e7686bfb728148ea7557488bc545a0638a9897d1

Condense container library (#46)

view details

push time in 2 days

PR merged plexsystems/konstraint

Condense container library

After upgrading to Konstraint v0.6.0 which contains support for recursively adding imports, I noticed that my policies were now updated to include the pods library. However, they all worked previously without needing to import it before.

Giving the libraries a closer look, noticed that a large portion of the pods/containers pieces can be shortened.

Any thoughts on this / something similar? This would remove the need for containers.rego and use pods.rego, now that its incredibly small.

I also like how the library is called now, instead of containers.containers and pods.pods -- we just have pods.containers[_]

+417 -863

1 comment

52 changed files

jpreese

pr closed time in 2 days

Pull request review commentplexsystems/promdoc

Change output-dir argument to --out flag

 import ( 	"io/ioutil" 	"os" 	"path"-	"strings"  	"github.com/spf13/cobra"+	"github.com/spf13/viper"  	"github.com/plexsystems/promdoc/internal/rendering" )  // NewGenerateCommand creates a new generate command func NewGenerateCommand() *cobra.Command { 	cmd := cobra.Command{-		Use:   "generate <output-dir>",+		Use:   "generate", 		Short: "Generate documentation from a given folder",-		Args:  cobra.ExactArgs(1),++		PreRunE: func(cmd *cobra.Command, args []string) error {+			if err := viper.BindPFlag("out", cmd.Flags().Lookup("out")); err != nil {+				return fmt.Errorf("bind out flag: %w", err)+			}+			return nil+		},  		RunE: func(cmd *cobra.Command, args []string) error {-			if err := runGenerateCommand(args[0]); err != nil {+			if err := runGenerateCommand(); err != nil { 				return fmt.Errorf("generate: %w", err) 			}  			return nil 		}, 	} +	cmd.Flags().StringP("out", "o", "alerts.md",+		"file name or path for the output-file")+ 	return &cmd } -func runGenerateCommand(outputFile string) error {+func runGenerateCommand() error {+	out := viper.GetString("out")+	outputDir, outputFile := path.Split(out) 	workingDir, err := os.Getwd() 	if err != nil { 		return fmt.Errorf("get working dir: %w", err) 	}--	fileTokens := strings.Split(outputFile, ".")-	if len(fileTokens) == 0 {-		return fmt.Errorf("get file extension: %w", err)+	if outputDir == "" {

Yep! If it's a file, it should have an extension that we can use to figure out what type of file to render. Otherwise it should be assumed to be a directory and output alerts.md (markdown).

Zelinzky

comment created time in 2 days

Pull request review commentplexsystems/promdoc

Change output-dir argument to --out flag

 import ( 	"io/ioutil" 	"os" 	"path"-	"strings"  	"github.com/spf13/cobra"+	"github.com/spf13/viper"  	"github.com/plexsystems/promdoc/internal/rendering" )  // NewGenerateCommand creates a new generate command func NewGenerateCommand() *cobra.Command { 	cmd := cobra.Command{-		Use:   "generate <output-dir>",+		Use:   "generate", 		Short: "Generate documentation from a given folder",-		Args:  cobra.ExactArgs(1),++		PreRunE: func(cmd *cobra.Command, args []string) error {+			if err := viper.BindPFlag("out", cmd.Flags().Lookup("out")); err != nil {+				return fmt.Errorf("bind out flag: %w", err)+			}+			return nil+		},  		RunE: func(cmd *cobra.Command, args []string) error {-			if err := runGenerateCommand(args[0]); err != nil {+			if err := runGenerateCommand(); err != nil { 				return fmt.Errorf("generate: %w", err) 			}  			return nil 		}, 	} +	cmd.Flags().StringP("out", "o", "alerts.md",+		"file name or path for the output-file")+ 	return &cmd } -func runGenerateCommand(outputFile string) error {+func runGenerateCommand() error {+	out := viper.GetString("out")+	outputDir, outputFile := path.Split(out) 	workingDir, err := os.Getwd() 	if err != nil { 		return fmt.Errorf("get working dir: %w", err) 	}--	fileTokens := strings.Split(outputFile, ".")-	if len(fileTokens) == 0 {-		return fmt.Errorf("get file extension: %w", err)+	if outputDir == "" {

While I do like trying to leverage the standard library, in this case the Split func--the current behavior isn't quite what we're looking for.

promdoc generate --out docs

Should create an alerts.md into the docs directory. Unfortunately, Split will consider "docs" to be a file.

Zelinzky

comment created time in 2 days

Pull request review commentplexsystems/promdoc

Change output-dir argument to --out flag

 import ( 	"io/ioutil" 	"os" 	"path"-	"strings"  	"github.com/spf13/cobra"+	"github.com/spf13/viper"  	"github.com/plexsystems/promdoc/internal/rendering" )  // NewGenerateCommand creates a new generate command func NewGenerateCommand() *cobra.Command { 	cmd := cobra.Command{-		Use:   "generate <output-dir>",+		Use:   "generate", 		Short: "Generate documentation from a given folder",-		Args:  cobra.ExactArgs(1),++		PreRunE: func(cmd *cobra.Command, args []string) error {+			if err := viper.BindPFlag("out", cmd.Flags().Lookup("out")); err != nil {+				return fmt.Errorf("bind out flag: %w", err)+			}+			return nil+		},  		RunE: func(cmd *cobra.Command, args []string) error {-			if err := runGenerateCommand(args[0]); err != nil {+			if err := runGenerateCommand(); err != nil { 				return fmt.Errorf("generate: %w", err) 			}  			return nil 		}, 	} +	cmd.Flags().StringP("out", "o", "alerts.md",+		"file name or path for the output-file")+ 	return &cmd } -func runGenerateCommand(outputFile string) error {+func runGenerateCommand() error {+	out := viper.GetString("out")+	outputDir, outputFile := path.Split(out)

We should strive to declare variables as close as possible to the first time that they are being used. In this case, outputDir and outputFile are declared, followed by workingDir.

Zelinzky

comment created time in 2 days

issue commentplexsystems/konstraint

Request: Generate the sync gatekeeper config based on policies with data.inventory

Played with this for a little today, and early testing seems promising.

example data file (would be generated from the actual resources in the gatekeeper-system namespace):

inventory:
  namespace:
    gatekeeper-system:
      v1:
        Service:
          apiVersion: v1
          kind: Service
          metadata:
            labels:
              gatekeeper.sh/system: "yes"
              gatekeeper.sh/operation: "audit"
            name: gatekeeper-audit-metrics-service
            namespace: gatekeeper-system
          spec:
            ports:
              - port: 8889
                name: audit-metrics
                targetPort: 8888
            selector:
              app.kubernetes.io/instance: gatekeeper
              app.kubernetes.io/name: gatekeeper
              control-plane: audit-controller
              gatekeeper.sh/operation: audit
              gatekeeper.sh/system: "yes"

[[data.yaml]]

Using @garethahealy 's data.inventory based policy: https://github.com/redhat-cop/rego-policies/blob/master/policy/ocp/requiresinventory/deployment-has-matching-service/src.rego

$ conftest test - -p policy/cluster --all-namespaces -d policy/cluster/data/data.yaml
garethahealy

comment created time in 2 days

Pull request review commentplexsystems/konstraint

Condense container library

 package lib.pods  import data.lib.core -pods[pod] {-    lower(core.kind) == "statefulset"-    pod = core.resource.spec.template+pod = core.resource.spec.template {+    pod_templates := ["daemonset","deployment","job","replicaset","replicationcontroller","statefulset"]

I'm not entirely against the idea. I would have concerns about considering every edge case and having the library spiral out of control--but just a single case isn't going to be that big of a problem. In a perfect scenario, we'd have an openshift.rego library that implemented core and added additional pod definitions (and other openshift specific definitions).

@jalseth , any thoughts on this one?

jpreese

comment created time in 2 days

issue commentopen-policy-agent/gatekeeper

Add a runbook link to constraints

@snuggie12 we're just now starting to look into how best to approach runbooks with konstraint. While it's easy enough to add a URL in the header comments, which will show up in the documentation, we'd like to see it included in the violation itself.

As @maxsmythe mentioned, one avenue we considered was just adding an annotation during the generation process, but the user would still have to inspect the constraint itself. We'd like to be able to present the link to the user in the violation message.

details seems to be the best candidate for this, but we're not quite sure how that gets to the user yet. While primative, another idea we tossed about was during the generation process, just edit the msg value to include runbook: url.com/here.

snuggie12

comment created time in 3 days

PR opened plexsystems/konstraint

Reduce number of test files during create

Just noticed now that we have a lot of examples, the original create test has caused quite a few test files to be generated. This sets it up such that only one file is needed for the test.

+51 -3278

0 comment

48 changed files

pr created time in 3 days

push eventplexsystems/konstraint

John Reese

commit sha 53e65307173c73111ab3eb0cd0b36a0e827a47e5

Reduce number of test files during create

view details

push time in 3 days

create barnchplexsystems/konstraint

branch : clean-testdir

created branch time in 3 days

Pull request review commentplexsystems/konstraint

Condense container library

 package lib.pods  import data.lib.core -pods[pod] {-    lower(core.kind) == "statefulset"-    pod = core.resource.spec.template+pod = core.resource.spec.template {+    pod_templates := ["daemonset","deployment","job","statefulset"]

Done!

jpreese

comment created time in 3 days

push eventplexsystems/konstraint

John Reese

commit sha 70159686f2d3b3fae23dfe02d94bc2698b25f4dc

Add additional kinds

view details

push time in 3 days

push eventplexsystems/konstraint

John Reese

commit sha 66939647f2c4db915ee57cf9adb24903a1dbf84f

Add additional kinds

view details

push time in 3 days

pull request commentplexsystems/konstraint

Condense container library

Good catch on ReplicationController-- didn't even realize that's a thing now. I added that and CronJob.

jpreese

comment created time in 3 days

push eventplexsystems/konstraint

John Reese

commit sha a06e480564a84177d755ff5f3a2becc5085818e4

Add additional kinds

view details

push time in 3 days

PR opened plexsystems/konstraint

[DRAFT] [FEEDBACK REQUEST] Condense container library

After upgrading to Konstraint v0.6.0 which contains support for recursively adding imports, I noticed that my policies were now updated to include the pods library. However, they all worked previously without needing to import it before.

Giving the libraries a closer look, noticed that a large portion of the pods/containers pieces can be shortened.

Any thoughts on this / something similar? This would remove the need for containers.rego and use pods.rego, now that its incredibly small.

+22 -56

0 comment

6 changed files

pr created time in 3 days

create barnchplexsystems/konstraint

branch : library-refactor

created branch time in 3 days

created tagplexsystems/konstraint

tagv0.6.0

A policy management tool for interacting with Gatekeeper

created time in 3 days

issue openedopen-policy-agent/gatekeeper

secret is not well-formed Gatekeeper beta.11

What steps did you take and what happened:

Deployed Gatekeeper to a Kind cluster.

Admittedly, I have never seen this error before, but all I did was deploy Gatekeeper (which I do.. a lot everyday)

kubectl logs -n gatekeeper-system gatekeeper-controller-manager-5c99fbb76d-2tjw4
{"level":"info","ts":1596238603.4752572,"logger":"setup","msg":"setting up cert rotation"}
{"level":"info","ts":1596238603.4760537,"logger":"setup","msg":"starting manager"}
{"level":"info","ts":1596238603.4767292,"logger":"cert-rotation","msg":"starting cert rotator controller"}
{"level":"info","ts":1596238603.476966,"logger":"controller-runtime.controller","msg":"Starting EventSource","controller":"validating-webhook-controller","source":"kind source: /, Kind="}
{"level":"info","ts":1596238603.5799334,"logger":"cert-rotation","msg":"refreshing CA and server certs"}
{"level":"info","ts":1596238603.580487,"logger":"controller-runtime.controller","msg":"Starting EventSource","controller":"validating-webhook-controller","source":"kind source: admissionregistration.k8s.io/v1beta1, Kind=ValidatingWebhookConfiguration"}
{"level":"info","ts":1596238603.5900865,"logger":"readiness-tracker","msg":"config resource not found - skipping for readiness"}
{"level":"info","ts":1596238603.5901506,"logger":"readiness-tracker","msg":"ExpectationsDone","gvk":"config.gatekeeper.sh/v1alpha1, Kind=Config","expectationCount":0}
{"level":"info","ts":1596238603.6031055,"logger":"readiness-tracker","msg":"ExpectationsDone","gvk":"templates.gatekeeper.sh/v1beta1, Kind=ConstraintTemplate","expectationCount":0}
{"level":"info","ts":1596238603.6816518,"logger":"controller-runtime.controller","msg":"Starting Controller","controller":"validating-webhook-controller"}
{"level":"info","ts":1596238603.6817124,"logger":"controller-runtime.controller","msg":"Starting workers","controller":"validating-webhook-controller","worker count":1}
{"level":"error","ts":1596238603.6884582,"logger":"cert-rotation","msg":"secret is not well-formed, cannot update ValidatingWebhookConfiguration","error":"Cert secret is not well-formed, missing ca.crt","errorVerbose":"Cert secret is not well-formed, missing ca.crt\ngithub.com/open-policy-agent/gatekeeper/pkg/webhook.buildArtifactsFromSecret\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/webhook/certs.go:233\ngithub.com/open-policy-agent/gatekeeper/pkg/webhook.(*ReconcileVWH).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/webhook/certs.go:496\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/github.com/go-logr/zapr/zapr.go:128\ngithub.com/open-policy-agent/gatekeeper/pkg/webhook.(*ReconcileVWH).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/webhook/certs.go:498\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:90"}
{"level":"info","ts":1596238604.2855098,"logger":"cert-rotation","msg":"server certs refreshed"}
{"level":"info","ts":1596238604.2877865,"logger":"cert-rotation","msg":"ensuring CA cert on ValidatingWebhookConfiguration"}
{"level":"info","ts":1596238604.2963445,"logger":"cert-rotation","msg":"ensuring CA cert on ValidatingWebhookConfiguration"}
{"level":"info","ts":1596238690.9433343,"logger":"cert-rotation","msg":"ensuring CA cert on ValidatingWebhookConfiguration"}
{"level":"info","ts":1596238690.9599297,"logger":"cert-rotation","msg":"ensuring CA cert on ValidatingWebhookConfiguration"}

Gatekeeper did not enforce any policies after this and I had to re-deploy.

Environment:

  • Gatekeeper version: beta.11

  • Kubernetes version: (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.6-beta.0", GitCommit:"e7f962ba86f4ce7033828210ca3556393c377bcc", GitTreeState:"clean", BuildDate:"2020-01-15T08:26:26Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3", GitCommit:"b3cbbae08ec52a7fc73d334838e18d17e8512749", GitTreeState:"clean", BuildDate:"2019-12-04T07:23:47Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

created time in 4 days

issue openedplexsystems/konstraint

Convert doc generator to use template

The current documentation generating just builds up a string. While effective, it would serve us better to use templates as more and more documentation configurations are requested.

created time in 4 days

issue openedplexsystems/konstraint

Rego without a comment block still renders Markdown link

When running doc on a folder of policies, policies without a header comment still cause the doc generator to render all of the fields for that policy.

When a policy lacks a header comment, the doc generator should skip over it.

created time in 4 days

PR opened plexsystems/konstraint

Sanitize rego for documentation

This just makes the rego that we pull back from source more predictable when it comes to writing documentation.

+49 -91

0 comment

3 changed files

pr created time in 4 days

create barnchplexsystems/konstraint

branch : sanitize-rego

created branch time in 4 days

push eventplexsystems/konstraint

John Reese

commit sha 80c037ceef71b246fd3308c9e0ab3d74c7a7cee3

Format example rego policies (#42)

view details

push time in 4 days

PR merged plexsystems/konstraint

Format example rego policies

Picked a style and ran with it. Added editorconfig.

+1290 -1178

0 comment

80 changed files

jpreese

pr closed time in 4 days

push eventplexsystems/konstraint

John Reese

commit sha 8ec5edb119db9d0f5960160b3ad8804bd2aa6524

Doc regen

view details

push time in 4 days

push eventplexsystems/konstraint

John Reese

commit sha c3402c60dcb073da59e73e8fb653ff03dbade009

Doc regen

view details

push time in 4 days

PR opened plexsystems/konstraint

Format example rego policies

Picked a style and ran with it. Added editorconfig.

+1289 -1197

0 comment

79 changed files

pr created time in 4 days

create barnchplexsystems/konstraint

branch : lib-pass

created branch time in 4 days

pull request commentplexsystems/konstraint

Split lib.workloads into lib.pods and lib.containers

Makes sense to me. I like getting away from workloads as well.

jalseth

comment created time in 4 days

created tagplexsystems/konstraint

tagv0.5.4

A policy management tool for interacting with Gatekeeper

created time in 4 days

push eventplexsystems/konstraint

John Reese

commit sha 3a7a895cf4e2dd7fc080b0bd4aefb65886f065bc

Fix pathing in markdown documentation

view details

push time in 4 days

PR opened plexsystems/konstraint

Fix pathing in markdown documentation

Pathing breaks when ran from a Windows-based machine. Looking through some of the Markdown specs that are out there, the engine expects forward slashes.

+7 -0

0 comment

2 changed files

pr created time in 4 days

create barnchplexsystems/konstraint

branch : docs-pathing

created branch time in 4 days

pull request commentplexsystems/konstraint

Support recursive imports

I know you have this marked as draft @jalseth but I think this looks great. Simple and straight forward. This will be huge, thanks!

jalseth

comment created time in 4 days

Pull request review commentplexsystems/konstraint

Support recursive imports

 func getLibraryPath(path string) (string, error) { 	return libraryPath, nil } -func getMatchingLibraries(policy rego.File, libraries []rego.File) []string {-	var libs []string-	for _, importPackage := range policy.ImportPackages {-		for _, library := range libraries {-			if importPackage == library.PackageName {-				libs = append(libs, library.Contents)+func getImportedLibraries(file rego.File, libraries []rego.File) []rego.File {+	var libs []rego.File+	for _, i := range file.ImportPackages {+		for _, l := range libraries {+			if l.PackageName == i {

opinion: I tend to reserve single character identifiers for indexing, and use a more descriptive name for the value. I think this comparison takes a little bit of looking up and down to get the full picture of what's happening.

jalseth

comment created time in 4 days

PR opened plexsystems/konstraint

Remove extra folder from examples

Title

+0 -171

0 comment

1 changed file

pr created time in 4 days

create barnchplexsystems/konstraint

branch : remove-folder

created branch time in 4 days

created tagplexsystems/konstraint

tagv0.5.3

A policy management tool for interacting with Gatekeeper

created time in 5 days

push eventplexsystems/konstraint

John Reese

commit sha 875d27282ca613f55445f297e76d702755da0125

Handle carriage returns found in rego policies (#37)

view details

push time in 5 days

PR merged plexsystems/konstraint

Handle carriage returns found in rego policies

Forced CRLF in VSCode to duplicate the issue. Verified this change leaves the templates/constraints untouched. Acceptance tests also came back with no modifications.

+1 -1

1 comment

1 changed file

jpreese

pr closed time in 5 days

pull request commentplexsystems/konstraint

Handle carriage returns found in rego policies

Agreed. I'm going to add this in my next PR.

jpreese

comment created time in 5 days

PR opened plexsystems/konstraint

Handle carriage returns found in rego policies

Forced CRLF in VSCode to duplicate the issue. Verified this change leaves the templates/constraints untouched. Acceptance tests also came back with no modifications.

+1 -1

0 comment

1 changed file

pr created time in 5 days

create barnchplexsystems/konstraint

branch : returns

created branch time in 5 days

pull request commentplexsystems/konstraint

Add example security policies

Discussed offline some changes to the library. Policies themselves have already been used in dev/prod environments.

jalseth

comment created time in 5 days

issue commentplexsystems/konstraint

Request: Generate the sync gatekeeper config based on policies with data.inventory

@jalseth @garethahealy

It would be interesting to see if we could use the --data argument with Conftest to mimic data.inventory.

Given a bundle of Kubernetes resource(s), create a .yaml file with an inventory: header. Users would not create this inventory yaml, but rather it would be auto-generated from the Kubernetes resources that are to be deployed.

Then by passing in that yaml during the policy evaluation ( conftest -d somefile.yaml ), the data.inventory rule is applicable to not only Gatekeeper evaluations, but Conftest as well.

garethahealy

comment created time in 5 days

issue commentartifacthub/hub

Add support for OPA policies repositories

@garethahealy thanks for the ping, this is awesome!

Please let myself or @jalseth know if anything needs to be done on our end to help out with this initiative.

tegioz

comment created time in 5 days

startedredhat-cop/rego-policies

started time in 5 days

pull request commentplexsystems/konstraint

Add job to workloads library

Aside: What are your thoughts on all of the is_daemonset , is_deployment , etc rules? We don't use any of them, and I'm not sure how much value breaking all of those kinds really provides.

We could just remove all of them, and then change the pods[pod] rule to:

pods[pod] {
  pod = core.resource
}

pods[pod] {
  pod = core.resource.spec.template
}

Which drastically cuts down on the size.

I do kind of like is_workload, we use it in a couple policies as just containers[_] isn't as friendly. Though I think I would prefer workloads.has_container or another name that says container. Seems odd to create an abstraction around the word container.

workloads.has_container
workloads.containers[_].resources.requests.cpu
jpreese

comment created time in 5 days

PR opened plexsystems/konstraint

Add job to workloads library

Noticed this when doing some rework on our kubernetes manifests. Policy was not failing on a Kubernetes Job that had an invalid image registry host specified.

+63 -0

0 comment

7 changed files

pr created time in 6 days

more