Hi, Just started using konstraint abit as I'm evaluating OPA. I'm ha

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Ah.. I understand, I was following this tutorial from OPA <a href="https://www.openpol

Found another example here:. <a href="https://github.com/open-policy-agent/gatekeeper-

No constraint.yaml created about konstraint HOT 10 CLOSED

plexsystems commented on July 18, 2024

No constraint.yaml created

from konstraint.

Comments (10)

jalseth commented on July 18, 2024

Hi @propyless . Are you using the @parameters tag by chance? If so, it is intentional that Konstraint does not create a Constraint resource because it does not know what parameters you intend to use.

If you aren't using that tag, please upload a full example policy you're using that does not create the Constraint so we can troubleshoot further.

from konstraint.

propyless commented on July 18, 2024

Hi! Thanks so much for the fast response.
I am indeed using the parameters tag.

I was using https://github.com/plexsystems/konstraint/blob/main/examples/required-labels/src.rego this as an example at work to play around with konstraint.

# @title Required Labels
#
# This policy allows you to require certain labels are set on a resource.
# Adapted from https://github.com/open-policy-agent/gatekeeper/blob/master/example/templates/k8srequiredlabels_template.yaml
#
# @kinds apps/DaemonSet apps/Deployment apps/StatefulSet core/Pod
# @parameter labels array string

package required_labels

import data.lib.core

policyID := "P0002"

violation[msg] {
    missing := missing_labels
    count(missing) > 0

    msg := core.format_with_id(sprintf("%s/%s: Missing required labels: %v", [core.kind, core.name, missing]), policyID)
}

missing_labels = missing {
    provided := {label | core.labels[label]}
    required := {label | label := input.parameters.labels[_]}
    missing := required - provided
}

But this really just what it looked like. I'm not really sure if I follow regarding the comment around not knowing what parameters it will use, still pretty new to OPA so I don't understand the connection there. If you have the time for an explanation I'd love one :P

from konstraint.

jalseth commented on July 18, 2024

The ConstraintTemplate resource includes the policy, but it does not target any resources. Multiple Constraint references can reference the same ConstraintTemplates, but target different namespaces, resource kinds, etc.

When you use the @parameter tag, you are specifying that the ConstraintTemplate should accept parameters from the Constraint resources. Konstraint creates the ConstraintTemplate with the metadata to accept parameters, but since it does not know what values for the parameters you want to use, it cannot create any Constraints.

from konstraint.

propyless commented on July 18, 2024

Ah right, so it only really creates constraints for "generic" ConstraintTemplates. Is it possible to force it to create constraint anyway?
The use case would be for example, you want to target different namespaces with their own parameters, but then use for example kustomize to modify the "constraint" before applying it to the cluster.
And just populating the parameter values with "replace-me" or something?

from konstraint.

propyless commented on July 18, 2024

gonna hjack my own issue with another issue.. I've written tests for it, and have been running opa test with it and thats working.. so it seems like something with the @kinds? but removing all the comments at the top doesn't resolve the issue either.

# @title Disallow duplicate ingress hosts
#
# This policy prevents creating duplicate ingress hosts
#
# @kinds extensions/Ingress networking.k8s.io/Ingress
package disallowDuplicateIngressHost

import data.lib.core
import data.kubernetes.ingresses

policyID := "P0003"

violation[{"msg": msg}] {
	# We define variables that we use as keys when iterating through the ingresses dictionary
    some other_ns, other_ingress

    # Extract the host part of the requests JSON object
    host := input.request.object.spec.rules[_].host

    # Get all the existing ingresses. Make sure you identify the namespace (other_ns) and the ingress name (other_ingress)
    ingress := ingresses[other_ns][other_ingress]

    # We are not interested in Ingress requests in the same namespace
    other_ns != input.request.namespace

    # Do we have an existing ingress that has a host matching the one in the ingress definition?
    ingress.spec.rules[_].host == host

    # If yes, then this policy is vilated. We need to send an informative message
    # to the client detailing which part of the ingress violated the policy
    msg := core.format_with_id(sprintf("invalid ingress host %q (conflicts with %v/%v)",
        [host, other_ns, other_ingress]), policyID)

when running konstraint create with this file, I get a panic.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x8377c9]

goroutine 1 [running]:
github.com/plexsystems/konstraint/internal/rego.getRecursiveImportPaths(0xc000239cb0, 0xc00022d150, 0x4, 0x4, 0x5)
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:385 +0x149
github.com/plexsystems/konstraint/internal/rego.parseDirectory(0x7ffe1fcf45db, 0x1, 0xc000230950, 0xc000239530, 0xc00022d428, 0x40f3b0, 0xc000235400)
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:233 +0xea5
github.com/plexsystems/konstraint/internal/rego.GetViolations(0x7ffe1fcf45db, 0x1, 0xc000230960, 0xc000230930, 0xc00022d698, 0x40f3b0, 0x203000)
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/rego/rego.go:72 +0x50
github.com/plexsystems/konstraint/internal/commands.runCreateCommand(0x7ffe1fcf45db, 0x1, 0x10, 0xd96ae0)
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/commands/create.go:65 +0x50
github.com/plexsystems/konstraint/internal/commands.newCreateCommand.func1(0xc0001ddb80, 0xc000230b00, 0x1, 0x1, 0x0, 0x0)
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/internal/commands/create.go:53 +0x3bf
github.com/spf13/cobra.(*Command).execute(0xc0001ddb80, 0xc000230ad0, 0x1, 0x1, 0xc0001ddb80, 0xc000230ad0)
        /home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:850 +0x47c
github.com/spf13/cobra.(*Command).ExecuteC(0xc0001dd8c0, 0x0, 0xffffffff, 0xc000182058)
        /home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:958 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
        /home/nikon/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
main.main()
        /home/nikon/Code/go/src/github.com/jalseth/konstraint/main.go:10 +0x2a

Any idea what could be wrong here?

from konstraint.

jpreese commented on July 18, 2024

@propyless it looks like its not able to find all of your imports correctly since its failing on getRecursiveImportPaths (https://github.com/plexsystems/konstraint/blob/main/internal/rego/rego.go#L380)

We attempt to find the Rego files for all of your imports so they can be added into the template. What does your directory structure look like? Do you have a package called kubernetes.ingresses in a rego file somewhere in the current or parent directories?

from konstraint.

propyless commented on July 18, 2024

Ah.. I understand, I was following this tutorial from OPA https://www.openpolicyagent.org/docs/v0.26.0/kubernetes-tutorial/ and also using the code from https://www.magalix.com/blog/enforce-ingress-best-practices-using-opa. I was writing the tests for it while mucking about and when running konstraint create . thats when i hit this error.

Its most likely the data.kubernetes.ingresses import that is causing the failure. I thought it was some kind of built in lib that I was using since the tutorial doesn't specify if there are any libs I need to download etc.

from konstraint.

propyless commented on July 18, 2024

Found another example here:. https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/uniqueingresshost/template.yaml

but they seem to use data.inventory instead of data.kubernetes. I'm not really sure in which docs they found data.inventory..
edit: seems theres a reference here, but i haven't found a reference to it in the gatekeeper docs..
https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template

from konstraint.

jpreese commented on July 18, 2024

data.inventory is used for accessing resource in OPA's cache (https://github.com/open-policy-agent/frameworks/blob/master/constraint/README.md#rego-semantics-for-constraints)

We had a discussion about potentially incorporating it into Konstraint awhile ago, but never proceeded:
#16

from konstraint.

jpreese commented on July 18, 2024

The panic error that resulted when a policy was not found has been resolved in v0.12.0. If your issue still persists and/or there's still some confusion around data.inventory, please feel free to reopen!

from konstraint.

No constraint.yaml created about konstraint HOT 10 CLOSED

Comments (10)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent