feat: Enable toggling of deferring to VAP (#3335)

Signed-off-by: Max Smythe <smythe@google.com> Signed-off-by: Max Smythe <max.smythe@gmail.com> Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
open-policy-agent · Mar 28, 2024 · 71b7dca · 71b7dca
1 parent 07fae2f
commit 71b7dca
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -117,6 +117,7 @@ var (
 	disabledBuiltins                     = util.NewFlagSet()
 	enableK8sCel                         = flag.Bool("experimental-enable-k8s-native-validation", false, "Alpha: enable the validating admission policy driver")
 	externaldataProviderResponseCacheTTL = flag.Duration("external-data-provider-response-cache-ttl", 3*time.Minute, "TTL for the external data provider response cache. Specify the duration in 'h', 'm', or 's' for hours, minutes, or seconds respectively. Defaults to 3 minutes if unspecified. Setting the TTL to 0 disables the cache.")
+	deferAdmissionToVAP                           = flag.Bool("defer-admission-to-vap", false, "When set to false, Gatekeeper webhook can act as a fallback in case K8s' Validating Admission Policy fails.  When set to true, Gatekeeper validating webhook will not evaluate a policy for an admission request it expects vap to enforce. May improve resource usage at the cost of race conditions detecting whether VAP enforcement is in effect. This does not impact audit results. Defaults to false.")
 )
 
 func init() {
@@ -414,7 +415,16 @@ func setupControllers(ctx context.Context, mgr ctrl.Manager, sw *watch.Controlle
 
 	if *enableK8sCel {
 		// initialize K8sValidation
-		k8sDriver, err := k8scel.New()
+		var k8scelArgs []k8scel.Arg
+		if *deferAdmissionToVAP && constraint.VapEnforcement != constraint.VapFlagNone {
+			switch constraint.VapEnforcement {
+			case constraint.VapFlagGatekeeperDefault:
+				k8scelArgs = append(k8scelArgs, k8scel.VAPGenerationDefault(k8scel.VAPDefaultNo))
+			case constraint.VapFlagVapDefault:
+				k8scelArgs = append(k8scelArgs, k8scel.VAPGenerationDefault(k8scel.VAPDefaultYes))
+			}
+		}
+		k8sDriver, err := k8scel.New(k8scelArgs...)
 		if err != nil {
 			setupLog.Error(err, "unable to set up K8s native driver")
 			return err