Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow wildcards in resource syncing specification #3057

Open
skaven81 opened this issue Oct 9, 2023 · 10 comments
Open

Allow wildcards in resource syncing specification #3057

skaven81 opened this issue Oct 9, 2023 · 10 comments
Labels
enhancement New feature or request

Comments

@skaven81
Copy link

skaven81 commented Oct 9, 2023

Describe the solution you'd like
In the Gatekeeper config resource, the syncOnly section requires that resources be fully qualified with a group, version and kind. There are types of resources (Gatekeeper Constraints come to mind) where one or more of these values is not known. It is also often the case that multiple versions of resources (such as the various API versions of Ingress resources) are desired to be synced, without needing to explicitly list each one.

Currently, specifying wildcards results in an error:

  sync:
    syncOnly:
    - group: ""
      kind: Namespace
      version: v1
    - group: ""
      kind: Pod
      version: v1
->  - group: constraints.gatekeeper.sh
->    kind: '*'
->    version: '*'

{"level":"error","ts":1696895322.1075552,"msg":"Reconciler error","controller":"config-controller","object":{"name":"config","namespace":"cattle-gatekeeper-system"},"namespace":"cattle-gatekeeper-system","name":"config","reconcileID":"03a42281-bd99-48a7-9e28-c1600d29f750","error":"adding watch for constraints.gatekeeper.sh/*, Kind=* getting informer for kind: constraints.gatekeeper.sh/*, Kind=* no matches for kind \"*\" in version \"constraints.gatekeeper.sh/*\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:234"}

Environment:

  • Gatekeeper version: 3.10.0
  • Kubernetes version: (use kubectl version): version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}
@skaven81 skaven81 added the enhancement New feature or request label Oct 9, 2023
@acpana
Copy link
Contributor

acpana commented Oct 17, 2023

hey @skaven81 thanks for opening this. It sounds like this is a dupe of #1664

@skaven81
Copy link
Author

Sort of...#1664 asks to make the version optional. I'd like to see all the fields made optional (though I would understand if Gatekeeper rejected [group: *, version: *, kind: *] as that would likely be a mistake).

But there are absolutely use-cases where I'd want to sync in all resources of a given API group, or maybe all resources that have the same kind (even if they're in different API groups, such as the different iterations of Ingress a while back).

So I'd say my request is a superset of #1664, not a dupe.

@stale Stale
Copy link

stale bot commented Dec 17, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 17, 2023
@skaven81
Copy link
Author

Bumping as this is not stale

@ritazh ritazh removed the stale label Dec 18, 2023
@stale Stale
Copy link

stale bot commented Feb 16, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Feb 16, 2024
@skaven81
Copy link
Author

Bumping as not stale

@stale stale bot removed the stale label Feb 16, 2024
@maxsmythe
Copy link
Contributor

@skaven81 does the comment in #1664 (comment) address the pain point you're seeing?

Basically, if there was some way to suss out what resources constraint templates require and sync those (and only those) would that moot the issue?

@skaven81
Copy link
Author

Yes, I think that sums it up ... mostly. The "durability over upgrades" is of course one of the issues. But that only addresses the apiVersion part. The group is also important to have wildcard flexibility (arguably for the same reason). The Ingress resource changed groups mid-stream from extensions.k8s.io to networking.k8s.io, and so when that change happened, I would have needed to update the Config to ensure Ingresses kept syncing. In some cases, at the cluster admin's discretion, it should be possible to tell Gatekeeper to sync all resources that match a given kind, or ALL the kinds in a given group.

I just want that flexibility and to not be tied into an arbitrary model of GVK specifications when ultimately all we're doing with syncOnly is composing a list. And it's frustrating to not have tools like wildcards available for all the fields when building a list like this.

@stale Stale
Copy link

stale bot commented Apr 23, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 23, 2024
@skaven81
Copy link
Author

Not stale

@stale stale bot removed the stale label Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ritazh @skaven81 @maxsmythe @acpana