Skip to content

docs: fix expansion yaml example #2551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sozercan merged 3 commits into from
Feb 8, 2023
Merged

docs: fix expansion yaml example #2551

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
261e239
docs: fix expansion yaml indentation
sozercan Feb 1, 2023
c9f5844
fix syntax
sozercan Feb 1, 2023
fdaf099
Merge branch 'master' into docs-fix-expansion-yaml
sozercan Feb 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 31 additions & 31 deletions website/docs/expansion.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ Here is an example of a `ExpansionTemplate` that specifies that `DaemonSet`,
`Deployment`, `Job`, `ReplicaSet`, `ReplicationController`, and `StatefulSet`
should be expanded into a `Pod`.

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
Expand Down Expand Up @@ -143,7 +143,7 @@ for `fooField` when creating Pods that cannot reasonably be added to the
a user could create a Mutation custom resource that modifies expanded resources,
like so:

```
```yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
Expand Down Expand Up @@ -189,16 +189,16 @@ them to only be applied when expanding resources specified
by `ExpansionTemplates`. These Mutators will not affect any real resources on
the cluster.**

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
name: expand-deployments
spec:
applyTo:
- groups: [ "apps" ]
kinds: [ "Deployment" ]
versions: [ "v1" ]
- groups: ["apps"]
kinds: ["Deployment"]
versions: ["v1"]
templateSource: "spec.template"
generatedGVK:
kind: "Pod"
Expand All @@ -210,17 +210,16 @@ kind: Assign
metadata:
name: add-sidecar
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
origin: "Generated"
source: All
Copy link
Copy Markdown
Member Author

@sozercan sozercan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davis-haba i couldn't get this to work with Generated, any ideas?

Copy link
Copy Markdown
Contributor

@davis-haba davis-haba Feb 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How were you testing it, and what were you expecting to see?

I fed this manifest into gator expand, using source: "Generated", and it produced the expected Pod. Changing the Assign's source to source: "Original" caused the Assign to not be applied, as expected.

w.r.t. the mutator, if you are just looking to test Assign.match.source, then you could try directly creating a Pod (or deployment) and seeing if the side-car gets attached. I just tested this on-cluster and it worked for me (i.e. source: Generated did not add the side-car; but source: Original|All added it)

Copy link
Copy Markdown
Member Author

@sozercan sozercan Feb 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested on a kind v1.25 cluster. I was expecting to see pod to get injected sidecar and args to be mutated.
Here's a quick recording: https://asciinema.org/a/qEoR30Hl210qL0Tw70ZiOaBwz (this is with same snippet from PR but with source: Generated)

Tested with gator expand too, works there using source: Generated.

Copy link
Copy Markdown
Contributor

@davis-haba davis-haba Feb 3, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the mutators have source: Generated they will not apply to the real pod that gets created on the cluster. The mutators will only apply to the ephemeral expanded pod, that is used for validating the deployment.

The assumption is the user is using mutators to simulate a controller adding the sidecar, so that their deployments can be properly validated. The controller they are simulating should add the sidecar to the real pod, not the mutators.

Copy link
Copy Markdown
Member Author

@sozercan sozercan Feb 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense. I think what's confusing is we say "When expanded, the above configs will produce the following Pod:" which is not true with source: Generated since the produced Pod does not have these configs.

I'll update with source: All (changes as is in this PR) if that sounds good to you? @davis-haba

Copy link
Copy Markdown
Contributor

@davis-haba davis-haba Feb 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I agree that could be confusing. I think changing the example to source: All makes sense.

Thanks!

kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
- apiGroups: ["*"]
kinds: ["Pod"]
location: "spec.containers[name:istio-proxy]"
parameters:
assign:
Expand All @@ -229,25 +228,26 @@ spec:
imagePullPolicy: IfNotPresent
image: docker.io/istio/proxyv2:1.15.0
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
---
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: ModifySet
metadata:
name: add-istio-args
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
source: All
Copy link
Copy Markdown
Member Author

@sozercan sozercan Feb 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here for modifyset

location: "spec.containers[name:istio-proxy].args"
parameters:
operation: merge
Expand All @@ -273,17 +273,17 @@ spec:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
```

When expanded, the above configs will produce the following `Pod`:

```
```yaml
apiVersion: v1
kind: Pod
metadata:
Expand Down
62 changes: 31 additions & 31 deletions website/versioned_docs/version-v3.10.x/expansion.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ Here is an example of a `ExpansionTemplate` that specifies that `DaemonSet`,
`Deployment`, `Job`, `ReplicaSet`, `ReplicationController`, and `StatefulSet`
should be expanded into a `Pod`.

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
Expand Down Expand Up @@ -143,7 +143,7 @@ for `fooField` when creating Pods that cannot reasonably be added to the
a user could create a Mutation custom resource that modifies expanded resources,
like so:

```
```yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
Expand Down Expand Up @@ -189,16 +189,16 @@ them to only be applied when expanding resources specified
by `ExpansionTemplates`. These Mutators will not affect any real resources on
the cluster.**

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
name: expand-deployments
spec:
applyTo:
- groups: [ "apps" ]
kinds: [ "Deployment" ]
versions: [ "v1" ]
- groups: ["apps"]
kinds: ["Deployment"]
versions: ["v1"]
templateSource: "spec.template"
generatedGVK:
kind: "Pod"
Expand All @@ -210,17 +210,16 @@ kind: Assign
metadata:
name: add-sidecar
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
origin: "Generated"
source: All
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
- apiGroups: ["*"]
kinds: ["Pod"]
location: "spec.containers[name:istio-proxy]"
parameters:
assign:
Expand All @@ -229,25 +228,26 @@ spec:
imagePullPolicy: IfNotPresent
image: docker.io/istio/proxyv2:1.15.0
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
---
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: ModifySet
metadata:
name: add-istio-args
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
source: All
location: "spec.containers[name:istio-proxy].args"
parameters:
operation: merge
Expand All @@ -273,17 +273,17 @@ spec:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
```

When expanded, the above configs will produce the following `Pod`:

```
```yaml
apiVersion: v1
kind: Pod
metadata:
Expand Down
60 changes: 30 additions & 30 deletions website/versioned_docs/version-v3.11.x/expansion.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ Here is an example of a `ExpansionTemplate` that specifies that `DaemonSet`,
`Deployment`, `Job`, `ReplicaSet`, `ReplicationController`, and `StatefulSet`
should be expanded into a `Pod`.

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
Expand Down Expand Up @@ -189,16 +189,16 @@ them to only be applied when expanding resources specified
by `ExpansionTemplates`. These Mutators will not affect any real resources on
the cluster.**

```
```yaml
apiVersion: expansion.gatekeeper.sh/v1alpha1
kind: ExpansionTemplate
metadata:
name: expand-deployments
spec:
applyTo:
- groups: [ "apps" ]
kinds: [ "Deployment" ]
versions: [ "v1" ]
- groups: ["apps"]
kinds: ["Deployment"]
versions: ["v1"]
templateSource: "spec.template"
generatedGVK:
kind: "Pod"
Expand All @@ -210,17 +210,16 @@ kind: Assign
metadata:
name: add-sidecar
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
scope: Namespaced
origin: "Generated"
source: All
kinds:
- apiGroups: ["*"]
kinds: ["Pod"]
- apiGroups: ["*"]
kinds: ["Pod"]
location: "spec.containers[name:istio-proxy]"
parameters:
assign:
Expand All @@ -229,25 +228,26 @@ spec:
imagePullPolicy: IfNotPresent
image: docker.io/istio/proxyv2:1.15.0
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
---
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: ModifySet
metadata:
name: add-istio-args
spec:
source: Generated
applyTo:
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
- groups: [""]
kinds: ["Pod"]
versions: ["v1"]
match:
source: All
location: "spec.containers[name:istio-proxy].args"
parameters:
operation: merge
Expand All @@ -273,17 +273,17 @@ spec:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
args:
- "/bin/sh"
```

When expanded, the above configs will produce the following `Pod`:

```
```yaml
apiVersion: v1
kind: Pod
metadata:
Expand Down