tweaking

.github/workflows/gatekeeper-k8s-integrationtests.yaml

@@ -34,6 +34,9 @@ jobs:
           echo "## namespaces:"
           kubectl get namespaces
 
+          echo "## deployments:"
+          kubectl get deployments --all-namespaces
+
           echo "## pods:"
           kubectl get pods --all-namespaces
 

_test/deploy-gatekeeper.sh

@@ -44,30 +44,36 @@ deploy_gatekeeper() {
   echo ""
   echo "Deploying gatekeeper ${gatekeeper_version}..."
   oc create --save-config -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/${gatekeeper_version}/deploy/gatekeeper.yaml
-  oc create -f gatekeeper/config.yml -n gatekeeper-system
-  oc create -f gatekeeper/gatekeeper-template-manager.yml
+  oc create --save-config -f gatekeeper/config.yml -n gatekeeper-system
+  oc create --save-config -f gatekeeper/gatekeeper-template-manager.yml
 
-  oc scale --replicas=0 deployment/gatekeeper-audit --timeout=30s -n gatekeeper-system
-  oc scale --replicas=0 deployment/gatekeeper-controller-manager --timeout=30s -n gatekeeper-system
+  if [[ $(kubectl get namespace openshift --no-headers=true | wc -l) -eq 1 ]]; then
+    echo ""
+    echo "Scaling down pods so we can patch offline..."
+    oc scale --replicas=0 deployment/gatekeeper-audit --timeout=30s -n gatekeeper-system
+    oc scale --replicas=0 deployment/gatekeeper-controller-manager --timeout=30s -n gatekeeper-system
 
-  echo ""
-  echo "Patching gatekeeper to remove runAsUser to work on OCP..."
-  oc patch deployment/gatekeeper-audit --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/securityContext/runAsUser"}]' -n gatekeeper-system
-  oc patch deployment/gatekeeper-controller-manager --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/securityContext/runAsUser"}]' -n gatekeeper-system
+    oc apply -f gatekeeper/config-ocp.yml -n gatekeeper-system
 
-  echo ""
-  echo "Patching gatekeeper to enable emit-admission-events..."
-  oc patch deployment/gatekeeper-audit --type json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--emit-admission-events=true" }]' -n gatekeeper-system
-  oc patch deployment/gatekeeper-controller-manager --type json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--emit-admission-events=true" }]' -n gatekeeper-system
+    echo ""
+    echo "Patching gatekeeper to remove runAsUser to work on OCP..."
+    oc patch deployment/gatekeeper-audit --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/securityContext/runAsUser"}]' -n gatekeeper-system
+    oc patch deployment/gatekeeper-controller-manager --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/securityContext/runAsUser"}]' -n gatekeeper-system
 
-  echo ""
-  echo "Patching gatekeeper to include core namespaces in exempt-namespace..."
-  oc get deployment/gatekeeper-controller-manager -n gatekeeper-system -o json | jq ".spec.template.spec.containers[0].args |= . + [${excludedNamespacesComma}]" | oc apply -f -
+    echo ""
+    echo "Patching gatekeeper to enable emit-admission-events..."
+    oc patch deployment/gatekeeper-audit --type json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--emit-admission-events=true" }]' -n gatekeeper-system
+    oc patch deployment/gatekeeper-controller-manager --type json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--emit-admission-events=true" }]' -n gatekeeper-system
 
-  echo ""
-  echo "Waiting for gatekeeper to be ready..."
-  oc scale --replicas=1 deployment/gatekeeper-audit -n gatekeeper-system
-  oc scale --replicas=3 deployment/gatekeeper-controller-manager -n gatekeeper-system
+    echo ""
+    echo "Patching gatekeeper to include core namespaces in exempt-namespace..."
+    oc get deployment/gatekeeper-controller-manager -n gatekeeper-system -o json | jq ".spec.template.spec.containers[0].args |= . + [${excludedNamespacesComma}]" | oc apply -f -
+
+    echo ""
+    echo "Waiting for gatekeeper to be ready..."
+    oc scale --replicas=1 deployment/gatekeeper-audit -n gatekeeper-system
+    oc scale --replicas=3 deployment/gatekeeper-controller-manager -n gatekeeper-system
+  fi
 
   oc rollout status deployment/gatekeeper-audit -n gatekeeper-system --watch=true --timeout=10m
   oc rollout status deployment/gatekeeper-controller-manager -n gatekeeper-system --watch=true --timeout=10m

gatekeeper/config-ocp.yml

@@ -0,0 +1,34 @@
+---
+apiVersion: config.gatekeeper.sh/v1alpha1
+kind: Config
+metadata:
+  name: config
+spec:
+  readiness:
+    statsEnabled: true
+  sync:
+    syncOnly:
+      - version: "v1"
+        group: ""
+        kind: "Namespace"
+      - version: "v1"
+        group: ""
+        kind: "ServiceAccount"
+      - version: "v1"
+        group: ""
+        kind: "PersistentVolumeClaim"
+      - version: "v1"
+        group: "networking.k8s.io"
+        kind: "NetworkPolicy"
+      - version: "v1"
+        group: ""
+        kind: "Service"
+      - version: "v1"
+        group: "monitoring.coreos.com"
+        kind: "ServiceMonitor"
+      - version: "v1"
+        group: "apps"
+        kind: "Deployment"
+      - version: "v1"
+        group: "policy"
+        kind: "PodDisruptionBudget"

gatekeeper/config.yml

@@ -23,9 +23,6 @@ spec:
       - version: "v1"
         group: ""
         kind: "Service"
-      - version: "v1"
-        group: "monitoring.coreos.com"
-        kind: "ServiceMonitor"
       - version: "v1"
         group: "apps"
         kind: "Deployment"