Skip to content

Commit

Permalink
Add feature gate package
Browse files Browse the repository at this point in the history 
Signed-off-by: Nolan Brubaker <[email protected]>
  • Loading branch information
@nrb
nrb committed Jun 3, 2024
1 parent 84fdbef commit 0fb4f54
Show file tree
Hide file tree
Showing 8 changed files with 741 additions and 8 deletions.
2 changes: 0 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,8 +155,6 @@ github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/openshift/api v0.0.0-20240405095747-3e50337fcaea h1:cjCo7sUIjL+Q2ZGMfLXzFb70K+77R52GVjh10fRhA1M=
github.com/openshift/api v0.0.0-20240405095747-3e50337fcaea/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4=
github.com/openshift/api v0.0.0-20240518060631-280767ad03ed h1:GVkw3GInzpfTS8oqHSiJpb1Qx88FN9GR5PfZrvkaLRc=
github.com/openshift/api v0.0.0-20240518060631-280767ad03ed/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4=
github.com/openshift/build-machinery-go v0.0.0-20231128094528-1e9b1b0595c8 h1:cu3YUMVGsKIyFyJGO3F6BZKGYQZpCKxAv9cBPgQAca8=
Expand Down
3 changes: 2 additions & 1 deletion pkg/cmd/render/render.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (

"github.com/ghodss/yaml"
configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/api/features"
kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
"github.com/openshift/cluster-kube-apiserver-operator/bindata"
"github.com/openshift/cluster-kube-apiserver-operator/pkg/operator/configobservation/apienablement"
Expand Down Expand Up @@ -333,7 +334,7 @@ func bootstrapDefaultConfig(featureGates featuregates.FeatureGate) ([]byte, erro
return nil, fmt.Errorf("failed to add audit policy into default config - %s", err)
}

if !featureGates.Enabled(configv1.FeatureGateOpenShiftPodSecurityAdmission) {
if !featureGates.Enabled(features.FeatureGateOpenShiftPodSecurityAdmission) {
if err := auth.SetPodSecurityAdmissionToEnforcePrivileged(defaultConfig); err != nil {
return nil, err
}
Expand Down
3 changes: 2 additions & 1 deletion pkg/cmd/render/render_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"testing"

configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/api/features"
kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
libgoaudit "github.com/openshift/library-go/pkg/operator/apiserver/audit"
"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
Expand Down Expand Up @@ -650,7 +651,7 @@ spec:
}

func TestGetDefaultConfigWithAuditPolicy(t *testing.T) {
raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{configv1.FeatureGateOpenShiftPodSecurityAdmission}, nil))
raw, err := bootstrapDefaultConfig(featuregates.NewFeatureGate([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission}, nil))
require.NoError(t, err)
require.True(t, len(raw) > 0)

Expand Down
4 changes: 2 additions & 2 deletions pkg/operator/configobservation/auth/podsecurityadmission.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package auth
import (
"fmt"

configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/api/features"
"github.com/openshift/library-go/pkg/operator/configobserver"
"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
"github.com/openshift/library-go/pkg/operator/events"
Expand Down Expand Up @@ -98,7 +98,7 @@ func observePodSecurityAdmissionEnforcement(featureGateAccessor featuregates.Fea

observedConfig := map[string]interface{}{}
switch {
case !featureGates.Enabled(configv1.FeatureGateOpenShiftPodSecurityAdmission):
case !featureGates.Enabled(features.FeatureGateOpenShiftPodSecurityAdmission):
if err := SetPodSecurityAdmissionToEnforcePrivileged(observedConfig); err != nil {
return existingConfig, append(errs, err)
}
Expand Down
5 changes: 3 additions & 2 deletions pkg/operator/configobservation/auth/podsecurityadmission_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"github.com/stretchr/testify/require"

configv1 "github.com/openshift/api/config/v1"
"github.com/openshift/api/features"
"github.com/openshift/library-go/pkg/operator/configobserver/featuregates"
"github.com/openshift/library-go/pkg/operator/events"
)
Expand All @@ -27,11 +28,11 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) {
restrictedJSON, err := json.Marshal(restrictedMap)
require.NoError(t, err)

defaultFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{configv1.FeatureGateOpenShiftPodSecurityAdmission}, []configv1.FeatureGateName{})
defaultFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission}, []configv1.FeatureGateName{})

const sentinelExistingJSON = `{"admission":{"pluginConfig":{"PodSecurity":{"configuration":{"defaults":{"foo":"bar"}}}}}}`

disabledFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{}, []configv1.FeatureGateName{configv1.FeatureGateOpenShiftPodSecurityAdmission})
disabledFeatureSet := featuregates.NewHardcodedFeatureGateAccess([]configv1.FeatureGateName{}, []configv1.FeatureGateName{features.FeatureGateOpenShiftPodSecurityAdmission})

for _, tc := range []struct {
name string
Expand Down
Loading

0 comments on commit 0fb4f54

Please sign in to comment.