Comments (10)
Hi @propyless . Are you using the @parameters
tag by chance? If so, it is intentional that Konstraint does not create a Constraint resource because it does not know what parameters you intend to use.
If you aren't using that tag, please upload a full example policy you're using that does not create the Constraint so we can troubleshoot further.
from konstraint.
Hi! Thanks so much for the fast response.
I am indeed using the parameters tag.
I was using https://github.com/plexsystems/konstraint/blob/main/examples/required-labels/src.rego this as an example at work to play around with konstraint.
# @title Required Labels
#
# This policy allows you to require certain labels are set on a resource.
# Adapted from https://github.com/open-policy-agent/gatekeeper/blob/master/example/templates/k8srequiredlabels_template.yaml
#
# @kinds apps/DaemonSet apps/Deployment apps/StatefulSet core/Pod
# @parameter labels array string
package required_labels
import data.lib.core
policyID := "P0002"
violation[msg] {
missing := missing_labels
count(missing) > 0
msg := core.format_with_id(sprintf("%s/%s: Missing required labels: %v", [core.kind, core.name, missing]), policyID)
}
missing_labels = missing {
provided := {label | core.labels[label]}
required := {label | label := input.parameters.labels[_]}
missing := required - provided
}
But this really just what it looked like. I'm not really sure if I follow regarding the comment around not knowing what parameters it will use, still pretty new to OPA so I don't understand the connection there. If you have the time for an explanation I'd love one :P
from konstraint.
The ConstraintTemplate resource includes the policy, but it does not target any resources. Multiple Constraint references can reference the same ConstraintTemplates, but target different namespaces, resource kinds, etc.
When you use the @parameter
tag, you are specifying that the ConstraintTemplate should accept parameters from the Constraint resources. Konstraint creates the ConstraintTemplate with the metadata to accept parameters, but since it does not know what values for the parameters you want to use, it cannot create any Constraints.
from konstraint.
Ah right, so it only really creates constraints for "generic" ConstraintTemplates. Is it possible to force it to create constraint anyway?
The use case would be for example, you want to target different namespaces with their own parameters, but then use for example kustomize to modify the "constraint" before applying it to the cluster.
And just populating the parameter values with "replace-me" or something?
from konstraint.
gonna hjack my own issue with another issue.. I've written tests for it, and have been running opa test
with it and thats working.. so it seems like something with the @kinds? but removing all the comments at the top doesn't resolve the issue either.
# @title Disallow duplicate ingress hosts
#
# This policy prevents creating duplicate ingress hosts
#
# @kinds extensions/Ingress networking.k8s.io/Ingress
package disallowDuplicateIngressHost
import data.lib.core
import data.kubernetes.ingresses
policyID := "P0003"
violation[{"msg": msg}] {
# We define variables that we use as keys when iterating through the ingresses dictionary
some other_ns, other_ingress
# Extract the host part of the requests JSON object
host := input.request.object.spec.rules[_].host
# Get all the existing ingresses. Make sure you identify the namespace (other_ns) and the ingress name (other_ingress)
ingress := ingresses[other_ns][other_ingress]
# We are not interested in Ingress requests in the same namespace
other_ns != input.request.namespace
# Do we have an existing ingress that has a host matching the one in the ingress definition?
ingress.spec.rules[_].host == host
# If yes, then this policy is vilated. We need to send an informative message
# to the client detailing which part of the ingress violated the policy
msg := core.format_with_id(sprintf("invalid ingress host %q (conflicts with %v/%v)",
[host, other_ns, other_ingress]), policyID)
when running konstraint create
with this file, I get a panic.
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x8377c9]
goroutine 1 [running]:
github.com/plexsystems/konstraint/internal/rego.getRecursiveImportPaths(0xc000239cb0, 0xc00022d150, 0x4, 0x4, 0x5)
/home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:385 +0x149
github.com/plexsystems/konstraint/internal/rego.parseDirectory(0x7ffe1fcf45db, 0x1, 0xc000230950, 0xc000239530, 0xc00022d428, 0x40f3b0, 0xc000235400)
/home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:233 +0xea5
github.com/plexsystems/konstraint/internal/rego.GetViolations(0x7ffe1fcf45db, 0x1, 0xc000230960, 0xc000230930, 0xc00022d698, 0x40f3b0, 0x203000)
/home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:72 +0x50
github.com/plexsystems/konstraint/internal/commands.runCreateCommand(0x7ffe1fcf45db, 0x1, 0x10, 0xd96ae0)
/home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/commands/create.go:65 +0x50
github.com/plexsystems/konstraint/internal/commands.newCreateCommand.func1(0xc0001ddb80, 0xc000230b00, 0x1, 0x1, 0x0, 0x0)
/home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/commands/create.go:53 +0x3bf
github.com/spf13/cobra.(*Command).execute(0xc0001ddb80, 0xc000230ad0, 0x1, 0x1, 0xc0001ddb80, 0xc000230ad0)
/home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:850 +0x47c
github.com/spf13/cobra.(*Command).ExecuteC(0xc0001dd8c0, 0x0, 0xffffffff, 0xc000182058)
/home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:958 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
/home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
main.main()
/home/nikon/Code/go/src/github.com/jalseth/konstraint/main.go:10 +0x2a
Any idea what could be wrong here?
from konstraint.
@propyless it looks like its not able to find all of your imports correctly since its failing on getRecursiveImportPaths
(https://github.com/plexsystems/konstraint/blob/main/internal/rego/rego.go#L380)
We attempt to find the Rego files for all of your imports so they can be added into the template. What does your directory structure look like? Do you have a package called kubernetes.ingresses
in a rego file somewhere in the current or parent directories?
from konstraint.
Ah.. I understand, I was following this tutorial from OPA https://www.openpolicyagent.org/docs/v0.26.0/kubernetes-tutorial/ and also using the code from https://www.magalix.com/blog/enforce-ingress-best-practices-using-opa. I was writing the tests for it while mucking about and when running konstraint create . thats when i hit this error.
Its most likely the data.kubernetes.ingresses import that is causing the failure. I thought it was some kind of built in lib that I was using since the tutorial doesn't specify if there are any libs I need to download etc.
from konstraint.
Found another example here:. https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/uniqueingresshost/template.yaml
but they seem to use data.inventory
instead of data.kubernetes
. I'm not really sure in which docs they found data.inventory
..
edit: seems theres a reference here, but i haven't found a reference to it in the gatekeeper docs..
https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template
from konstraint.
data.inventory
is used for accessing resource in OPA's cache (https://github.com/open-policy-agent/frameworks/blob/master/constraint/README.md#rego-semantics-for-constraints)
We had a discussion about potentially incorporating it into Konstraint awhile ago, but never proceeded:
#16
from konstraint.
The panic
error that resulted when a policy was not found has been resolved in v0.12.0
. If your issue still persists and/or there's still some confusion around data.inventory
, please feel free to reopen!
from konstraint.
Related Issues (20)
- Merge duplicate matcher annotations HOT 2
- Unexpected match.kinds generated when matching multiple apiGroups HOT 2
- Imports of specific rule from module not supported HOT 2
- Generate descriptions for parameters HOT 2
- Input parameters verification ignores assignment rules HOT 9
- Use OPA Rego rich metadata instead of custom @annotations HOT 3
- Allow defining object parameters HOT 2
- Provide a conversion tool from old annotations to OPA rich metadata annotations
- Legacy parameters warning is generated even for new style parameters HOT 1
- Remove legacy annotations support and refactor
- Migrate to PSS HOT 1
- Flag to generate templates to v1 from v1beta1 HOT 2
- Allow skipping creation of ConstraintTemplates entirely HOT 1
- Allow to add metadata like annotations to constraint automatically HOT 3
- Templates and Constraint files are not in CamelCasing after running konstraint create HOT 5
- Build binary for linux/arm64 HOT 1
- Lint examples with regal HOT 1
- containerdenyescalation HOT 2
- No arm64 docker image for konstraint HOT 1
- Documentation unclear
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konstraint.