Gatekeeper should recreate deleted constraint CRDs #448
Labels
bug
Something isn't working
Comments
shomron
changed the title
maxsmythe
added a commit
to maxsmythe/gatekeeper
that referenced
this issue
Feb 5, 2020
Fixes open-policy-agent#448 Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
added a commit
to maxsmythe/gatekeeper
that referenced
this issue
Feb 8, 2020
Fixes open-policy-agent#448 Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
added a commit
to maxsmythe/gatekeeper
that referenced
this issue
Mar 24, 2020
Fixes open-policy-agent#448 Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
added a commit
to maxsmythe/gatekeeper
that referenced
this issue
Mar 25, 2020
Fixes open-policy-agent#448 Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
added a commit
that referenced
this issue
Mar 26, 2020
…e finalizers (#459) * Add an owner reference and a watch to Constraint Template CRDs Fixes #448 Signed-off-by: Max Smythe <smythe@google.com> * Add unit tests, reboot watch on failure Signed-off-by: Max Smythe <smythe@google.com> * Get rid of finalizers and upgrade constraint framework Signed-off-by: Max Smythe <smythe@google.com> * Make test helm version hermetic Signed-off-by: Max Smythe <smythe@google.com> * Upgrade constraint framework Signed-off-by: Max Smythe <smythe@google.com> * Remove now-unnecessary vendor hack for manifests Signed-off-by: Max Smythe <smythe@google.com> * Address comments, simplify conversions Signed-off-by: Max Smythe <smythe@google.com> * Fix lint errors, address nit Signed-off-by: Max Smythe <smythe@google.com> * Address makefile/chart nits Signed-off-by: Max Smythe <smythe@google.com>
maxsmythe
added a commit
that referenced
this issue
Mar 30, 2020
* Add an owner reference and a watch to Constraint Template CRDs Fixes #448 Signed-off-by: Max Smythe <smythe@google.com> * Add unit tests, reboot watch on failure Signed-off-by: Max Smythe <smythe@google.com> * Get rid of finalizers and upgrade constraint framework Signed-off-by: Max Smythe <smythe@google.com> * Make test helm version hermetic Signed-off-by: Max Smythe <smythe@google.com> * Upgrade constraint framework Signed-off-by: Max Smythe <smythe@google.com> * Remove now-unnecessary vendor hack for manifests Signed-off-by: Max Smythe <smythe@google.com> * Address comments, simplify conversions Signed-off-by: Max Smythe <smythe@google.com> * Fix lint errors, address nit Signed-off-by: Max Smythe <smythe@google.com> * Address makefile/chart nits Signed-off-by: Max Smythe <smythe@google.com> * Fix race condition in webhook stats reporter Signed-off-by: Max Smythe <smythe@google.com> * No need to panic, master exits on error Signed-off-by: Max Smythe <smythe@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Gatekeeper’s ConstraintTemplate controller is responsible for creating constraint CRDs corresponding to the template spec. Today, the controller does not watch CustomResourceDefinitions, such that if a constraint CRD is deleted it will not be automatically recreated by the controller. A controller must continually monitor actual state to ensure to corresponds with the desired state.
The controller should add a new watch on CustomResourceDefinitions, using controller-runtime’s EnqueueRequestForOwner event handler to trigger reconciliation of the owning template if deletion of the corresponding CRD is observed. This also depends on the controller correctly setting the ownerReferences field of the constraint CustomResourceDefinition at the time of creation.
The text was updated successfully, but these errors were encountered: