Comments (4)
ritazh
commented on June 15, 2024
@globalundo can you please share your ConstraintTemplate, constraint, and request that should have returned a warning?
For constraints using warn enforcementAction, gatekeeper should be returning a 299 status code:
gatekeeper/pkg/webhook/policy.go
Line 69 in 45e4552
from gatekeeper.
globalundo
commented on June 15, 2024
@ritazh while preparing a minimal set of ConstraintTemplate, constraint, and request to reproduce the issue, I have managed to locate an exact issue:
- in all our constants we have a multi-line violation message.
- a violation is printed correctly when enforcementAction is deny
- no message is printed if enforcementAction is warn
Here's a minimal example:
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDeny
metadata:
name: deny-all-requests-in-namespace
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDenyMultiline
metadata:
name: deny-all-requests-in-namespace-multiline
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdenymultiline
spec:
crd:
spec:
names:
kind: AlwaysDenyMultiline
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy \n multiline message"}] {
true
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdeny
spec:
crd:
spec:
names:
kind: AlwaysDeny
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy."}] {
true
}
Now, with enforcementAction:deny
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-requests-in-namespace-multiline] All requests are denied by this policy
multiline message
[deny-all-requests-in-namespace] All requests are denied by this policy.
However, with enforcementAction:warn only a single line violation message is present:
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Warning: [deny-all-requests-in-namespace] All requests are denied by this policy.
The multi-line warning message did work in previous OPA Gatekeeper version, but I can not pinpoint at after what version this has stopped working.
from gatekeeper.
maxsmythe
commented on June 15, 2024
I don't think Gatekeeper has changed any of its violation-reporting-via-webhook logic recently. Is this perhaps related to a Kubernetes or kubectl version change?
from gatekeeper.
Related Issues (20)
- Add --exclude to gator CLI HOT 1
- doc: how to exclude sidecar images in policies HOT 1
- CRDs selector HOT 2
- K8sNativeValidation and SyncSets HOT 6
- Course aggregation of request duration metrics HOT 2
- Add: app.kubernetes.io/name label to the Deployment object HOT 2
- Migrate psp Templates. HOT 2
- Add a flag for GK validating webhook to defer to vap
- admission webhook "validation.gatekeeper.sh" denied the request HOT 2
- publish images with microarch levels HOT 1
- gatekeeper-controller logs do not display HOT 1
- Metric names mismatch: `*_count` in document, `*_count_total` in actual behavior HOT 1
- OOMKilled as number of constraints grew HOT 3
- doc: Add a page to include all flag information in one place
- New example for location value when using complex Labels
- 404 Helm chart repo not found HOT 4
- Pass additional info in the mutation request to external data provider HOT 1
- Interpolation in mutation hooks for namespace or other parameters HOT 1
- Upgrade Gatekeeper to use Debian 12 Distroless HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.