feat: add ValidatingAdmissionPolicy validating DataPlane ports (#1263)

Author: programmer04

charts/gateway-operator/CHANGELOG.md

@@ -2,10 +2,16 @@
 
 ## Unreleased
 
-## Changes
+### Changes
+
+## 0.4.10-rc.1
+
+### Changes
 
 - Set `readOnlyRootFilesystem: true` for kube-rbac-proxy
   [#1057](https://github.com/Kong/charts/pull/1057)
+- Add `ValidatingAdmissionPolicy` validating `DataPlane` ports.
+  [#1263](https://github.com/Kong/charts/pull/1263)
 
 ## 0.4.9
 
@@ -17,7 +23,7 @@
 
 ## 0.4.8
 
-## Changes
+### Changes
 
 - Remove kube-rbac-proxy for operator versions 1.5+.
   In order to controler metrics endpoint access for these version please see
@@ -29,7 +35,7 @@
 
 ## 0.4.7
 
-## Changes
+### Changes
 
 - Bumped `kong/kubernetes-configuration` CRDs to 1.0.8.
   [#1238](https://github.com/Kong/charts/pull/1238)

charts/gateway-operator/Chart.yaml

@@ -8,7 +8,7 @@ maintainers:
 name: gateway-operator
 sources:
   - https://github.com/Kong/charts/tree/main/charts/gateway-operator
-version: 0.4.9
+version: 0.4.10-rc.1
 appVersion: "1.4"
 annotations:
   artifacthub.io/prerelease: "false"

charts/gateway-operator/ci/__snapshots__/affinity-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/disable-gateway-controller-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/env-and-args-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/env-and-customenv-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/extra-labels-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     a: "b"
@@ -719,7 +719,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         a: "b"

charts/gateway-operator/ci/__snapshots__/kube-rbac-proxy-removed-in-1-5-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo
@@ -785,3 +785,97 @@ spec:
       - name: chartsnap-gateway-operator-certs-dir
         emptyDir:
           sizeLimit: 256Mi
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: ports.dataplane.gateway-operator.konghq.com
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - "gateway-operator.konghq.com"
+      apiVersions:
+      - "v1beta1"
+      operations:
+      - "CREATE"
+      - "UPDATE"
+      resources:
+      - "dataplanes"
+  variables:
+  - name: ingressPorts
+    expression: object.spec.network.services.ingress.ports
+  - name: podTemplateSpec
+    expression: object.spec.deployment.podTemplateSpec
+  - name: proxyContainers
+    expression: |
+      variables.podTemplateSpec.spec.containers.filter(c, c.name == 'proxy')
+  - name: proxyContainer
+    expression: |
+      variables.proxyContainers.size() > 0 ?
+        variables.proxyContainers[0] :
+        null
+  - name: envFilteredPortMaps
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PORT_MAPS")
+  - name: envFilteredProxyListen
+    expression: |
+      variables.proxyContainer.env.filter(e, e.name == "KONG_PROXY_LISTEN")
+  - name: envPortMaps
+    expression: |
+      variables.envFilteredPortMaps.size() > 0 ? variables.envFilteredPortMaps[0].value : null
+  - name: envProxyListen
+    expression: |
+      variables.envFilteredProxyListen.size() > 0 ? variables.envFilteredProxyListen[0].value : null
+  # NOTE: Rules below do not validate the ports from the spec.network.services.ingress.ports
+  # when no KONG_PORT_MAPS or KONG_PROXY_LISTEN env variables are present in the proxy container.
+  # This has been the case before the introduction of validating admission policies so we are keeping
+  # the same behavior.
+
+  # Using string functions from: https://pkg.go.dev/github.com/google/cel-go/ext
+  validations:
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PORT_MAPS env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      !has(object.spec.network.services.ingress) ||
+      !has(object.spec.network.services.ingress.ports) ||
+      !has(variables.proxyContainer.env) ||
+      variables.envPortMaps == null ||
+      (
+        variables.ingressPorts.all(p, variables.envPortMaps.
+                  split(",").
+                  exists(pm,
+                      pm.split(":")[1].trim() == string(p.targetPort)
+                      )
+                  )
+      )
+    reason: Invalid
+  - messageExpression: "'Each port from spec.network.services.ingress.ports has to have an accompanying port in KONG_PROXY_LISTEN env'"
+    expression: |
+      !has(object.spec.network) ||
+      !has(object.spec.network.services) ||
+      !has(object.spec.network.services.ingress) ||
+      !has(object.spec.network.services.ingress.ports) ||
+      !has(variables.proxyContainer.env) ||
+      variables.envProxyListen == null ||
+      (
+        variables.ingressPorts.all(p, variables.envProxyListen.
+                  split(",").
+                  exists(pm,
+                    pm.trim().split(" ")[0].split(":")[1].trim() == string(p.targetPort)
+                    )
+                  )
+      )
+    reason: Invalid
+---
+# Source: gateway-operator/templates/validation-policy-dataplane.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: binding-ports.dataplane.gateway-operator.konghq.com
+spec:
+  policyName: ports.dataplane.gateway-operator.konghq.com
+  validationActions:
+  - Deny

charts/gateway-operator/ci/__snapshots__/nightly-can-be-used-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/probes-and-args-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo

charts/gateway-operator/ci/__snapshots__/tolerations-values.snap

@@ -696,7 +696,7 @@ kind: Deployment
 metadata:
   labels:
     app.kubernetes.io/name: gateway-operator
-    helm.sh/chart: gateway-operator-0.4.9
+    helm.sh/chart: gateway-operator-0.4.10-rc.1
     app.kubernetes.io/instance: "chartsnap"
     app.kubernetes.io/version: "1.4"
     app.kubernetes.io/component: kgo
@@ -718,7 +718,7 @@ spec:
       labels:
         control-plane: controller-manager
         app.kubernetes.io/name: gateway-operator
-        helm.sh/chart: gateway-operator-0.4.9
+        helm.sh/chart: gateway-operator-0.4.10-rc.1
         app.kubernetes.io/instance: "chartsnap"
         app.kubernetes.io/version: "1.4"
         app.kubernetes.io/component: kgo