search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.72k stars 765 forks source link

Restarting pod when secret changes #3647

Open abudavis opened 1 month ago

abudavis commented 1 month ago

Environment:

The following yaml doesn't seem to do the job, its supposed to trigger deployment rollout when an annotation is modified. I could ofcourse have used a controller here such as wave or reloader or kyverno to accomplish this, but it would have been really preferable to use Gatekeeper as we also use it for other stuff.

The secret and the deployment, both have the same labels on them, both are on the same namespace, so I kind of expected that Gatekeeper would listen for secret changes and annotate the deployment to trigger a restart.

apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: Assign
metadata:
  name: restart-pod-when-ace-secret-changes
spec:
    applyTo:
    - groups: ["apps"]
      kinds: ["Deployment"]
      versions: ["v1"]
    match:
      scope: Namespaced
      kinds:
        - apiGroups: [""]
          kinds: ["secrets"]
      labelSelector:
        matchLabels:
          used-by-deployment: httpd
      namespaces: ["ace"]
    location: "spec.template.metadata.annotations.secret-update-hash"
    parameters:
      assign:
        value: "hello"

Secret:

kind: Secret
apiVersion: v1
metadata:
  name: dummy
  namespace: ace
  labels:
    used-by-deployment: httpd
data:
  secretToken: NjlmMWY4OWNlZTY2ZDAyMTZhZjMxMWI3NWY2NjQ0
type: opaque

Deployment: I tried to put the label under metadata, but that did not make any difference.

kind: Deployment
apiVersion: apps/v1
metadata:
  name: httpd
  namespace: ace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpd
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: httpd
        used-by-deployment: httpd
      annotations:
        secret-update-hash: dummy
    spec:
      containers:
        - name: container
          image: 'image-registry.openshift-image-registry.svc:5000/openshift/httpd:latest'
          ports:
            - containerPort: 8080
              protocol: TCP
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          imagePullPolicy: Always
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600

Gatekeeper's mutatingwebhookconfiguration by default is set to make changes for CREATE and UPDATE operation:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  annotations:
    service.beta.openshift.io/inject-cabundle: "true"
  labels:
    gatekeeper.sh/system: "yes"
  name: gatekeeper-mutating-webhook-configuration
  ownerReferences:
  - apiVersion: operator.gatekeeper.sh/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Gatekeeper
    name: gatekeeper
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    caBundle: LS0tLS1CRUdJTiBDR------REDACTED-----klDQVRFLS0tLS0K
    service:
      name: gatekeeper-webhook-service
      namespace: openshift-gatekeeper-system
      path: /v1/mutate
      port: 443
  failurePolicy: Ignore
  matchPolicy: Exact
  name: mutation.gatekeeper.sh
  namespaceSelector:
    matchExpressions:
    - key: admission.gatekeeper.sh/ignore
      operator: DoesNotExist
    - key: kubernetes.io/metadata.name
      operator: NotIn
      values:
      - openshift-gatekeeper-system
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - '*'
    scope: '*'
  sideEffects: None
  timeoutSeconds: 1