Comments (4)
ritazh
commented on September 23, 2024
@globalundo can you please share your ConstraintTemplate, constraint, and request that should have returned a warning?
For constraints using warn enforcementAction, gatekeeper should be returning a 299 status code:
gatekeeper/pkg/webhook/policy.go
Line 69 in 45e4552
from gatekeeper.
globalundo
commented on September 23, 2024
@ritazh while preparing a minimal set of ConstraintTemplate, constraint, and request to reproduce the issue, I have managed to locate an exact issue:
- in all our constants we have a multi-line violation message.
- a violation is printed correctly when enforcementAction is deny
- no message is printed if enforcementAction is warn
Here's a minimal example:
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDeny
metadata:
name: deny-all-requests-in-namespace
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDenyMultiline
metadata:
name: deny-all-requests-in-namespace-multiline
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdenymultiline
spec:
crd:
spec:
names:
kind: AlwaysDenyMultiline
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy \n multiline message"}] {
true
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdeny
spec:
crd:
spec:
names:
kind: AlwaysDeny
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy."}] {
true
}
Now, with enforcementAction:deny
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-requests-in-namespace-multiline] All requests are denied by this policy
multiline message
[deny-all-requests-in-namespace] All requests are denied by this policy.
However, with enforcementAction:warn only a single line violation message is present:
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Warning: [deny-all-requests-in-namespace] All requests are denied by this policy.
The multi-line warning message did work in previous OPA Gatekeeper version, but I can not pinpoint at after what version this has stopped working.
from gatekeeper.
maxsmythe
commented on September 23, 2024
I don't think Gatekeeper has changed any of its violation-reporting-via-webhook logic recently. Is this perhaps related to a Kubernetes or kubectl version change?
from gatekeeper.
stale
commented on September 23, 2024
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper.
Related Issues (20)
- Add: app.kubernetes.io/name label to the Deployment object HOT 2
- Migrate psp Templates. HOT 2
- Add a flag for GK validating webhook to defer to vap
- admission webhook "validation.gatekeeper.sh" denied the request HOT 2
- publish images with microarch levels HOT 1
- gatekeeper-controller logs do not display HOT 1
- Metric names mismatch: `*_count` in document, `*_count_total` in actual behavior HOT 1
- OOMKilled as number of constraints grew HOT 4
- doc: Add a page to include all flag information in one place HOT 2
- New example for location value when using complex Labels HOT 1
- 404 Helm chart repo not found HOT 4
- Pass additional info in the mutation request to external data provider HOT 2
- Interpolation in mutation hooks for namespace or other parameters HOT 2
- Upgrade Gatekeeper to use Debian 12 Distroless HOT 3
- WebhookConfigurations(mutating and Validating) causing slow pod creation HOT 1
- Can't use Gator cli to verify opa with external_data
- Change chart to only set matchConditions on webhooks when the value parameter is not empty HOT 4
- Support `--log-stats-audit` / `--log-stats-admission` in Helm chart HOT 2
- validation latencies capped at 3 secs even though validatingWebhookTimeoutSeconds set at 5 HOT 2
- gatekeeper max supported qps for a single k8s cluster HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.