feat(gatekeeper-config): add doop-dependent policies#1774
Merged
Conversation
- add helm_release and image_check libs to _helpers.tpl - add deprecated-api-version policy (helm_release) - add oli-labels-required policy (helm_release) - add outdated-image-bases policy (image_check) - add vulnerable-images policy (image_check, with on-pod and on-pod-owner constraints) - bump chart and PluginDefinition to 0.4.0 Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com> On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Completes the gatekeeper-config migration by adding four new Gatekeeper policies that depend on services shipped by the separate gatekeeper-doop PluginDefinition, with all new policies defaulting to disabled and the chart/PluginDefinition version bumped to 0.4.0.
Changes:
- Add new ConstraintTemplates + Constraints for: deprecated API versions, OLI/owner-label enforcement, outdated base images, and vulnerable images (doop-dependent).
- Add shared Rego libraries for calling
helm-manifest-parseranddoop-image-checker. - Expose new Helm values and PluginDefinition options for enabling/configuring these policies.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| gatekeeper-config/README.md | Documents the newly added doop-dependent policies. |
| gatekeeper-config/plugindefinition.yaml | Bumps PluginDefinition to 0.4.0 and adds options for the new policies. |
| gatekeeper-config/charts/Chart.yaml | Bumps chart version/appVersion to 0.4.0. |
| gatekeeper-config/charts/values.yaml | Adds values blocks for new policies and their doop service URLs/parameters. |
| gatekeeper-config/charts/templates/_helpers.tpl | Adds shared Rego libs for helm release parsing and image header checks. |
| gatekeeper-config/charts/templates/constrainttemplate-deprecated-api-version.yaml | Introduces the deprecated API version ConstraintTemplate using helm-manifest-parser. |
| gatekeeper-config/charts/templates/constraint-deprecated-api-version-k8s1-32.yaml | Adds a constraint instance for k8s 1.32 API removals. |
| gatekeeper-config/charts/templates/constrainttemplate-oli-labels-required.yaml | Introduces the OLI/owner-label ConstraintTemplate using helm-manifest-parser. |
| gatekeeper-config/charts/templates/constraint-oli-labels-required.yaml | Adds a constraint instance for Helm release Secrets (owner=helm). |
| gatekeeper-config/charts/templates/constrainttemplate-outdated-image-bases.yaml | Introduces the outdated base image ConstraintTemplate using doop-image-checker. |
| gatekeeper-config/charts/templates/constraint-outdated-image-bases.yaml | Adds a constraint instance for workload kinds + Pods with maxAgeDays parameter. |
| gatekeeper-config/charts/templates/constrainttemplate-vulnerable-images.yaml | Introduces the vulnerable images ConstraintTemplate using doop-image-checker. |
| gatekeeper-config/charts/templates/constraint-vulnerable-images-on-pod.yaml | Adds a pod-level vulnerable images constraint instance. |
| gatekeeper-config/charts/templates/constraint-vulnerable-images-on-pod-owner.yaml | Adds an owner-level vulnerable images constraint instance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- oli-labels-required: only flag genuine Helm releases via is_helm_release guard, so a non-Helm Secret matching the labelSelector no longer reads as a missing owned-by label - outdated-image-bases: validate the createdAt header is numeric and emit an explicit violation when it is missing or non-numeric instead of silently passing - bump chart and PluginDefinition to 0.4.1 Signed-off-by: Mikolaj Kucinski <osidu12@gmail.com> On-behalf-of: @SAP <mikolaj.kucinski@sap.com>
abhijith-darshan
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Details
Add doop-dependent policies as the final batch of the
gatekeeper-configmigration. All four require services shipped by thegatekeeper-doopPluginDefinition (helm-manifest-parser, doop-image-checker) and default to disabled.Differences vs upstream:
deprecated-api-versionapiVersionsandkubernetesVersionhardcoded in the chart.helmManifestParserURLalso parameterized.oli-labels-requiredowner-info-on-helm-releases: enforced legacy owner-info labels via inline Rego.greenhouse.sap/owned-bylabel on Helm release Secrets (matched viaowner: helm) using helm-manifest-parser.knownExceptionslist for temporary exemptions.outdated-image-basesdoopImageCheckerURLandmaxAgeDaysare Constraint parameters; complains when the oldest layer is older thanmaxAgeDays(default 365).vulnerable-imagesvulnerable-images-on-podandvulnerable-images-on-pod-owner) share one template; reporting level chosen via thereportingLevelparameter.Breaking Changes
None.
Issues Fixed
Other Relevant Information
Depends on the
gatekeeper-doopPluginDefinition (separate PR) for the required services. All four policies default to disabled so the chart can be installed safely without doop.