feat: add generate operation and wait for VAPB generation

[JaydipGabani]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #3659
Related #3501

Special notes for your reviewer:

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 27.94118% with 196 lines in your changes missing coverage. Please review.

Project coverage is 47.64%. Comparing base (3350319) to head (a6ac8fd).
Report is 392 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/controller/constraint/constraint_controller.go	0.00%	118 Missing ⚠️
...onstrainttemplate/constrainttemplate_controller.go	49.35%	60 Missing and 18 partials ⚠️

❗ There is a different number of reports uploaded between BASE (3350319) and HEAD (a6ac8fd). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (3350319)	HEAD (a6ac8fd)
unittests	2	1

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3573      +/-   ##
==========================================
- Coverage   54.49%   47.64%   -6.85%     
==========================================
  Files         134      236     +102     
  Lines       12329    19786    +7457     
==========================================
+ Hits         6719     9428    +2709     
- Misses       5116     9476    +4360     
- Partials      494      882     +388     

Flag	Coverage Δ
unittests	47.64% <27.94%> (-6.85%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[maxsmythe]

Biggest concern is the timestamp stuff.

[maxsmythe]

Probably should not include the hardcoded time in the error text -- prone to bitrot.

[maxsmythe]

We should not rely on the creation timestamp... that leaves us vulnerable to clock skew since that is set by an unknown machine.

Also, as discussed in the OSS mtg, the time delay should be based off of the constraint template, specifically wait time seconds after the CRD is created from the template. There is no need to wait due to the constraint.

[maxsmythe]

VAP generation should probably be in its own function -- the reconcile function is unwieldy at this point.

Also, I'm not sure we want to only validate enforcement action when generate is enabled.

[JaydipGabani]

refactored the code

[maxsmythe]

We should probably move generation lifecycle stuff to its own function.

[ritazh]

this is added to controller-manager instead of audit. was this intentional?

[JaydipGabani]

This was supposed to be added to audit pod. Fixed it.

[ritazh]

Suggested change

	| defaultWaitForVAPBGeneration | (alpha) Wait to generate ValidatingAdmissionPolicyBinding after the constraint CRD is created. | `30` |
	| defaultWaitForVAPBGeneration | (alpha) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created. | `30` |

[ritazh]

same

[ritazh]

if none of the controllers has the generate operation, how do we report this issue to the user?

[JaydipGabani]

I have added log statement for now. Another option is to figure the same out by looking at all CTStatus resource in CTstatus controller - https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/controller/constrainttemplatestatus/constrainttemplatestatus_controller.go#L185. However we might need one field under CT Status to post the error.

[ritazh]

why is this * 2? can you add a comment for this?

[JaydipGabani]

I modified this to remove *2, added the comment as well.

[ritazh]

what if it's not populated

[JaydipGabani]

Fixed this behavior.

[ritazh]

does this need to be a switch statement or can a if clause work better since some of the code below seems to be repeated.

[JaydipGabani]

Updated the code to if stmt

[ritazh]

why is this commented out?

[JaydipGabani]

removed the commented block. Updated the tests as well.

[ritazh]

if annotation is already populated, then can we always skip an update? what's the use case for when the annotation needs to be updated with a new time?

[JaydipGabani]

This ensures that VAPB is generated if a faulty actor has set the timestamp in the future manually—beyond the allowed delay configured by the flag.

[ritazh]

thanks for the context and it would be useful to add that as a comment.

[ritazh]

this returned time duration is ignore when an error is returned. we should be consistent to always rely on the annotation for the timestamp instead of returning a duration here.

[JaydipGabani]

The purpose here was to requeue after user defined delay in case wanted annotations are not found (wait for annotation to be set by CT constroller if annotation was not present for any reason). I updated the code to reflect the same.

[maxsmythe]

No need to have a user-defined delay when annotation is missing, that should be handled by controller code (user sets time delay after CRD gets created, not internal controller mechanics)

[maxsmythe]

because we are requeueing before cacheConstraint is called (which adds the constraint to the constraint framework), the constraint will not be enforced at all until the VAP objects are created. These seems unnecessary and will hurt the performance of existing G8r uses.

[maxsmythe]

All of the VAP generation logic is gated on reflect.DeepEqual() of the constraint as-cached by the constraint framework.

I don't think that is the right logic gate for VAP-gen logic -- it should be gated on whether the extant VAP objects have drifted from the to-be-generated VAP objects. Otherwise users could modify the generated VAP objects and G8r would not re-align them until the next time the constraint is touched.

[maxsmythe]

It looks like we gate actual writes on VAP binding having a diff --- could just always call generateVAP() code. Maybe we could avoid unnecessary logic execution and therefore improve performance by refactoring more, but always calling VAP gen should be sufficient.

Bonus points for calling it after adding the constraint to the constraint framework -- that avoids blocking all enforcement on VAP succeeding as mentioned elsewhere.

[JaydipGabani]

updated to call generateVAP out side of reflect.DeepEqual() gate. Also calling generateVAP after constraint is marked enforced.

[maxsmythe]

Should this error be swallowed? Or should we tell the user that the constraint template does not support VAP?

[JaydipGabani]

This will mean when we switch the default to always generate VAP and VAPB, we will be throwing error for existing users using constraint template with Rego. I can also see the other use-case, where we would want to notify users if the intent is to use VAP but there is no CEL in the CT.

@ritazh @sozercan Any thoughts on this?

[maxsmythe]

Did we not switch to a model where users must use the VAP enforcement point to use VAP? I remember having that discussion. Part of the reason for requiring explicit user intent was to avoid questions like this.

[maxsmythe]

In any case, I think an error or "warning"-type error makes sense. Users can use scoped EA to disable it.

Contrast that with users getting no notice that a Rego-sourced CT is incompatible with VAP.

[ritazh]

IMO we should check if engine is K8sNativeValidation, then log and report the error. I recall this error was swallowed in 3.17.1 because 3.17.0 was reporting this error for existing rego CTs.

[JaydipGabani]

I do not recall having a discussion where user must use the VAP enforcement point to use VAP. I thought eventually we wanted to enable VAP enforcement point by default in-line with other enforcement points.

Reporting error only when VAP enforcement point explicitly mentioned in constraint through scopedEnforcementAction and template does not satisfy conditions to create VAP could work. This will not affect current rego users. And when we switch to VAP by default, the guidance for constraint authors would be:

• If VAP is available to use, GK will use VAP with all constraint. Otherwise GK will use webhook for enforcement. No errors reported on CT about not generating VAP.
• If VAP is not available to use and user wants to use VAP with scopedEnforcementPoints, GK reports error on CT and enforces through webhook if included as enforcement point.

Does this make sense?^^

[JaydipGabani]

As per the community discussion, I will follow up with instroducing field on constraint status for enforcementPoint status under bypod.

[maxsmythe]

No need to have a user-defined delay when annotation is missing, that should be handled by controller code (user sets time delay after CRD gets created, not internal controller mechanics)

[maxsmythe]

Discovery/nomatch errors should not be a concern for bindings (which are a built-in type)

[JaydipGabani]

Updated to remove the error matching.

[maxsmythe]

It looks like we gate actual writes on VAP binding having a diff --- could just always call generateVAP() code. Maybe we could avoid unnecessary logic execution and therefore improve performance by refactoring more, but always calling VAP gen should be sufficient.

Bonus points for calling it after adding the constraint to the constraint framework -- that avoids blocking all enforcement on VAP succeeding as mentioned elsewhere.

[maxsmythe]

I think, more accurately, this prevents clock skew from preventing generation on task reschedule.

This design really doesn't protect against malicious users (RBAC for templates does that)

[maxsmythe]

Should probably note that we are purposefully making a second call to the API server here in order to make sure the timestamp is post-CRD creation.

Otherwise the question I have is "why make two requests?"

[JaydipGabani]

Added a comment here.

[maxsmythe]

We should also have an annotation that is non-clock-dependent, that lets us know when generation is always allowed, otherwise we run the risk of sporadic delays when the pod reschedules.

Likely a significant change, probably not a blocker for beta (just a known risk)

[JaydipGabani]

Once the annotations are set after CRD is created, pod reschedules won't cause the annotations to be set again. In the event of pod getting reschedule after CRD is created and before the annotations are set, annotations will get set on the restart and then it won't get updated again.

Since we only update annotations if it is not set or it is in future outside of the window defined by users, I am failing to see the need of non-clock-dependent annotation. Can you describe an example where we run the risk of sporadic delays?

[maxsmythe]

Remember the discussion about clock skew. Pod gets rescheduled to a node that is a day behind -> sporadic 30-second delays generating bindings, even if the CRD has been extant for hours.

[JaydipGabani]

Yip, this slipped my mind. Thanks for the context. Let's follow up with this fix. I will create an issue.

[maxsmythe]

Per previous comment, this should return a duration of zero... let the controller decide what the retry delay is.

[ritazh]

Do we need to reset this annotation when the CRD needs an update? the CRD should already been created and known to the apiserver right? and therefore, no need to wait for the vapb creation/updates?

[JaydipGabani]

Yeah, you are correct. I initially thought that we need to wait because CRD would be different and api-server needs time to cache it. But it really doesn't matter, because all VAP cares about is kind. I will update the PR.

[JaydipGabani]

Updated the PR.

[maxsmythe]

LGTM with 2 nits, sorry for delay.

[maxsmythe]

nit: ret is effectively time.Duration(0) (it never gets overriden) for readability, probably best to rename ret something like noDelay or similar.

[maxsmythe]

nit: "We add the annotation as a follow-on update to be sure the timestamp is set relative to a time after the CRD is successfully created. Creating the CRD with a delay timestamp already set would not account for request latency"

would be more clear (feel free to update wording). Current comment is more descriptive of the code than explanatory as to why the code is the way it is.

[maxsmythe]

LGTM

[grosser]

can we get some docs on what this generate operation does ?
... and a PR description would also be nice