diff --git a/api/v1beta1/policyautomation_types.go b/api/v1beta1/policyautomation_types.go index 37059439..6985e117 100644 --- a/api/v1beta1/policyautomation_types.go +++ b/api/v1beta1/policyautomation_types.go @@ -53,7 +53,7 @@ type AutomationDef struct { // is "1000". // // +kubebuilder:validation:Minimum=0 - PolicyViolationsLimit *uint `json:"policyViolationsLimit,omitempty"` + PolicyViolationsLimit *uint16 `json:"policyViolationsLimit,omitempty"` } // PolicyAutomationSpec defines how and when automation is initiated for the referenced policy. diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 4bf9df9b..ca58a03e 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -26,7 +26,7 @@ func (in *AutomationDef) DeepCopyInto(out *AutomationDef) { } if in.PolicyViolationsLimit != nil { in, out := &in.PolicyViolationsLimit, &out.PolicyViolationsLimit - *out = new(uint) + *out = new(uint16) **out = **in } } diff --git a/build/common/Makefile.common.mk b/build/common/Makefile.common.mk index 8a9421fd..e163cc0b 100755 --- a/build/common/Makefile.common.mk +++ b/build/common/Makefile.common.mk @@ -3,21 +3,21 @@ ## CLI versions (with links to the latest releases) # https://github.com/kubernetes-sigs/controller-tools/releases/latest -CONTROLLER_GEN_VERSION := v0.14.0 +CONTROLLER_GEN_VERSION := v0.16.3 # https://github.com/kubernetes-sigs/kustomize/releases/latest -KUSTOMIZE_VERSION := v5.3.0 +KUSTOMIZE_VERSION := v5.4.3 # https://github.com/golangci/golangci-lint/releases/latest GOLANGCI_VERSION := v1.52.2 # https://github.com/mvdan/gofumpt/releases/latest -GOFUMPT_VERSION := v0.6.0 +GOFUMPT_VERSION := v0.7.0 # https://github.com/daixiang0/gci/releases/latest -GCI_VERSION := v0.13.4 +GCI_VERSION := v0.13.5 # https://github.com/securego/gosec/releases/latest -GOSEC_VERSION := v2.19.0 +GOSEC_VERSION := v2.21.3 # https://github.com/kubernetes-sigs/kubebuilder/releases/latest -KBVERSION := 3.14.1 +KBVERSION := 3.15.1 # https://github.com/kubernetes/kubernetes/releases/latest -ENVTEST_K8S_VERSION := 1.29.x +ENVTEST_K8S_VERSION := 1.30.x LOCAL_BIN ?= $(error LOCAL_BIN is not set.) ifneq ($(findstring $(LOCAL_BIN), $(PATH)), $(LOCAL_BIN)) diff --git a/controllers/automation/policyautomation_controller.go b/controllers/automation/policyautomation_controller.go index fc311749..d68d0a86 100644 --- a/controllers/automation/policyautomation_controller.go +++ b/controllers/automation/policyautomation_controller.go @@ -196,7 +196,7 @@ func (r *PolicyAutomationReconciler) getViolationContext( policyViolationsLimit := policyAutomation.Spec.Automation.PolicyViolationsLimit if policyViolationsLimit == nil { - policyViolationsLimit = new(uint) + policyViolationsLimit = new(uint16) *policyViolationsLimit = policyv1beta1.DefaultPolicyViolationsLimit } diff --git a/controllers/encryptionkeys/encryptionkeys_controller.go b/controllers/encryptionkeys/encryptionkeys_controller.go index 735d1d36..cab07cb9 100644 --- a/controllers/encryptionkeys/encryptionkeys_controller.go +++ b/controllers/encryptionkeys/encryptionkeys_controller.go @@ -38,7 +38,7 @@ var ( ) // SetupWithManager sets up the controller with the Manager. -func (r *EncryptionKeysReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint) error { +func (r *EncryptionKeysReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint16) error { return ctrl.NewControllerManagedBy(mgr). // The work queue prevents the same item being reconciled concurrently: // https://github.com/kubernetes-sigs/controller-runtime/issues/1416#issuecomment-899833144 @@ -55,7 +55,7 @@ var _ reconcile.Reconciler = &EncryptionKeysReconciler{} // for all managed clusters. type EncryptionKeysReconciler struct { //nolint:golint,revive client.Client - KeyRotationDays uint + KeyRotationDays uint32 Scheme *runtime.Scheme } diff --git a/controllers/policymetrics/policymetrics_controller.go b/controllers/policymetrics/policymetrics_controller.go index 1b4ae670..94cd3135 100644 --- a/controllers/policymetrics/policymetrics_controller.go +++ b/controllers/policymetrics/policymetrics_controller.go @@ -24,7 +24,7 @@ const ControllerName string = "policy-metrics" var log = ctrl.Log.WithName(ControllerName) // SetupWithManager sets up the controller with the Manager. -func (r *MetricReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint) error { +func (r *MetricReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint16) error { return ctrl.NewControllerManagedBy(mgr). // The work queue prevents the same item being reconciled concurrently: // https://github.com/kubernetes-sigs/controller-runtime/issues/1416#issuecomment-899833144 diff --git a/controllers/propagator/replicatedpolicy_setup.go b/controllers/propagator/replicatedpolicy_setup.go index f4c23704..7dd130cc 100644 --- a/controllers/propagator/replicatedpolicy_setup.go +++ b/controllers/propagator/replicatedpolicy_setup.go @@ -19,7 +19,7 @@ import ( func (r *ReplicatedPolicyReconciler) SetupWithManager( mgr ctrl.Manager, - maxConcurrentReconciles uint, + maxConcurrentReconciles uint16, dependenciesSource source.Source, updateSrc source.Source, templateSrc source.Source, diff --git a/controllers/propagator/rootpolicy_setup.go b/controllers/propagator/rootpolicy_setup.go index c4205cdb..a8d4ceac 100644 --- a/controllers/propagator/rootpolicy_setup.go +++ b/controllers/propagator/rootpolicy_setup.go @@ -28,7 +28,7 @@ import ( //+kubebuilder:rbac:groups=*,resources=*,verbs=get;list;watch // SetupWithManager sets up the controller with the Manager. -func (r *RootPolicyReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint) error { +func (r *RootPolicyReconciler) SetupWithManager(mgr ctrl.Manager, maxConcurrentReconciles uint16) error { return ctrl.NewControllerManagedBy(mgr). WithOptions(controller.Options{MaxConcurrentReconciles: int(maxConcurrentReconciles)}). Named("root-policy-spec"). diff --git a/controllers/rootpolicystatus/root_policy_status_controller.go b/controllers/rootpolicystatus/root_policy_status_controller.go index adce5119..9cb55506 100644 --- a/controllers/rootpolicystatus/root_policy_status_controller.go +++ b/controllers/rootpolicystatus/root_policy_status_controller.go @@ -32,7 +32,7 @@ var log = ctrl.Log.WithName(ControllerName) // SetupWithManager sets up the controller with the Manager. func (r *RootPolicyStatusReconciler) SetupWithManager( mgr ctrl.Manager, - maxConcurrentReconciles uint, + maxConcurrentReconciles uint16, plrsEnabled bool, ) error { ctrlBldr := ctrl.NewControllerManagedBy(mgr). diff --git a/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml b/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml index 1e124fed..7562a7dc 100644 --- a/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml +++ b/deploy/crds/kustomize/policy.open-cluster-management.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: policies.policy.open-cluster-management.io spec: group: policy.open-cluster-management.io diff --git a/deploy/crds/policy.open-cluster-management.io_placementbindings.yaml b/deploy/crds/policy.open-cluster-management.io_placementbindings.yaml index 11861555..3eab953e 100644 --- a/deploy/crds/policy.open-cluster-management.io_placementbindings.yaml +++ b/deploy/crds/policy.open-cluster-management.io_placementbindings.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: placementbindings.policy.open-cluster-management.io spec: group: policy.open-cluster-management.io diff --git a/deploy/crds/policy.open-cluster-management.io_policies.yaml b/deploy/crds/policy.open-cluster-management.io_policies.yaml index 896bff47..53f4e2d5 100644 --- a/deploy/crds/policy.open-cluster-management.io_policies.yaml +++ b/deploy/crds/policy.open-cluster-management.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: policies.policy.open-cluster-management.io spec: group: policy.open-cluster-management.io diff --git a/deploy/crds/policy.open-cluster-management.io_policyautomations.yaml b/deploy/crds/policy.open-cluster-management.io_policyautomations.yaml index d6a0e3f3..2a5ed4d4 100644 --- a/deploy/crds/policy.open-cluster-management.io_policyautomations.yaml +++ b/deploy/crds/policy.open-cluster-management.io_policyautomations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: policyautomations.policy.open-cluster-management.io spec: group: policy.open-cluster-management.io @@ -116,6 +116,7 @@ spec: type: string required: - automationDef + - eventHook - mode - policyRef type: object diff --git a/deploy/crds/policy.open-cluster-management.io_policysets.yaml b/deploy/crds/policy.open-cluster-management.io_policysets.yaml index cf28359a..542bbb5f 100644 --- a/deploy/crds/policy.open-cluster-management.io_policysets.yaml +++ b/deploy/crds/policy.open-cluster-management.io_policysets.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: policysets.policy.open-cluster-management.io spec: group: policy.open-cluster-management.io diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 00ffa575..4ec0cddc 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -34,52 +34,6 @@ kind: ClusterRole metadata: name: governance-policy-propagator rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - apps.open-cluster-management.io - resources: - - placementrules - verbs: - - get - - list - - watch -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - - placementdecisions - - placements - verbs: - - get - - list - - watch -- apiGroups: - - config.openshift.io - resourceNames: - - cluster - resources: - - dnses - verbs: - - get - apiGroups: - "" resources: @@ -92,12 +46,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - apiGroups: - "" resourceNames: @@ -122,76 +70,57 @@ rules: - apiGroups: - "" resources: + - secrets - serviceaccounts/token verbs: - create - apiGroups: - - policy.open-cluster-management.io + - '*' resources: - - placementbindings + - '*' verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io + - apps.open-cluster-management.io resources: - - policies + - placementrules verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io - resources: - - policies/finalizers - verbs: - - update -- apiGroups: - - policy.open-cluster-management.io + - authorization.k8s.io resources: - - policies/status + - subjectaccessreviews + - tokenreviews verbs: - - get - - patch - - update + - create - apiGroups: - - policy.open-cluster-management.io + - cluster.open-cluster-management.io resources: - - policyautomations + - managedclusters + - placementdecisions + - placements verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io - resources: - - policyautomations/finalizers - verbs: - - update -- apiGroups: - - policy.open-cluster-management.io + - config.openshift.io + resourceNames: + - cluster resources: - - policyautomations/status + - dnses verbs: - get - - patch - - update - apiGroups: - policy.open-cluster-management.io resources: + - placementbindings + - policies + - policyautomations - policysets verbs: - create @@ -204,12 +133,16 @@ rules: - apiGroups: - policy.open-cluster-management.io resources: + - policies/finalizers + - policyautomations/finalizers - policysets/finalizers verbs: - update - apiGroups: - policy.open-cluster-management.io resources: + - policies/status + - policyautomations/status - policysets/status verbs: - get diff --git a/deploy/rbac/role.yaml b/deploy/rbac/role.yaml index 7542e6b6..299aef34 100644 --- a/deploy/rbac/role.yaml +++ b/deploy/rbac/role.yaml @@ -4,52 +4,6 @@ kind: ClusterRole metadata: name: governance-policy-propagator rules: -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - apps.open-cluster-management.io - resources: - - placementrules - verbs: - - get - - list - - watch -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - cluster.open-cluster-management.io - resources: - - managedclusters - - placementdecisions - - placements - verbs: - - get - - list - - watch -- apiGroups: - - config.openshift.io - resourceNames: - - cluster - resources: - - dnses - verbs: - - get - apiGroups: - "" resources: @@ -62,12 +16,6 @@ rules: - patch - update - watch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - apiGroups: - "" resourceNames: @@ -92,76 +40,57 @@ rules: - apiGroups: - "" resources: + - secrets - serviceaccounts/token verbs: - create - apiGroups: - - policy.open-cluster-management.io + - '*' resources: - - placementbindings + - '*' verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io + - apps.open-cluster-management.io resources: - - policies + - placementrules verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io - resources: - - policies/finalizers - verbs: - - update -- apiGroups: - - policy.open-cluster-management.io + - authorization.k8s.io resources: - - policies/status + - subjectaccessreviews + - tokenreviews verbs: - - get - - patch - - update + - create - apiGroups: - - policy.open-cluster-management.io + - cluster.open-cluster-management.io resources: - - policyautomations + - managedclusters + - placementdecisions + - placements verbs: - - create - - delete - get - list - - patch - - update - watch - apiGroups: - - policy.open-cluster-management.io - resources: - - policyautomations/finalizers - verbs: - - update -- apiGroups: - - policy.open-cluster-management.io + - config.openshift.io + resourceNames: + - cluster resources: - - policyautomations/status + - dnses verbs: - get - - patch - - update - apiGroups: - policy.open-cluster-management.io resources: + - placementbindings + - policies + - policyautomations - policysets verbs: - create @@ -174,12 +103,16 @@ rules: - apiGroups: - policy.open-cluster-management.io resources: + - policies/finalizers + - policyautomations/finalizers - policysets/finalizers verbs: - update - apiGroups: - policy.open-cluster-management.io resources: + - policies/status + - policyautomations/status - policysets/status verbs: - get diff --git a/main.go b/main.go index bd870e49..896b3f03 100644 --- a/main.go +++ b/main.go @@ -116,12 +116,12 @@ func main() { secureMetrics bool enableLeaderElection bool probeAddr string - keyRotationDays uint - keyRotationMaxConcurrency uint - policyMetricsMaxConcurrency uint - policyStatusMaxConcurrency uint - rootPolicyMaxConcurrency uint - replPolicyMaxConcurrency uint + keyRotationDays uint32 + keyRotationMaxConcurrency uint16 + policyMetricsMaxConcurrency uint16 + policyStatusMaxConcurrency uint16 + rootPolicyMaxConcurrency uint16 + replPolicyMaxConcurrency uint16 enableWebhooks bool complianceAPIHost string complianceAPIPort string @@ -143,37 +143,37 @@ func main() { "Enabling this will ensure there is only one active controller manager.") pflag.BoolVar(&enableWebhooks, "enable-webhooks", true, "Enable the policy validating webhook") - pflag.UintVar( + pflag.Uint32Var( &keyRotationDays, "encryption-key-rotation", 30, "The number of days until the policy encryption key is rotated", ) - pflag.UintVar( + pflag.Uint16Var( &keyRotationMaxConcurrency, "key-rotation-max-concurrency", 10, "The maximum number of concurrent reconciles for the policy-encryption-keys controller", ) - pflag.UintVar( + pflag.Uint16Var( &policyMetricsMaxConcurrency, "policy-metrics-max-concurrency", 5, "The maximum number of concurrent reconciles for the policy-metrics controller", ) - pflag.UintVar( + pflag.Uint16Var( &policyStatusMaxConcurrency, "policy-status-max-concurrency", 5, "The maximum number of concurrent reconciles for the policy-status controller", ) - pflag.UintVar( + pflag.Uint16Var( &rootPolicyMaxConcurrency, "root-policy-max-concurrency", 2, "The maximum number of concurrent reconciles for the root-policy controller", ) - pflag.UintVar( + pflag.Uint16Var( &replPolicyMaxConcurrency, "replicated-policy-max-concurrency", 10,