GithubHelp home page GithubHelp logo

Comments (5)

andrevcf avatar andrevcf commented on September 27, 2024 1

Confirmed the problem with multi-line violation message.
With single-line message it works!

K8S server: v1.28.4
Gatekeeper: openpolicyagent/gatekeeper:v3.17.0

from gatekeeper.

ritazh avatar ritazh commented on September 27, 2024

@globalundo can you please share your ConstraintTemplate, constraint, and request that should have returned a warning?
For constraints using warn enforcementAction, gatekeeper should be returning a 299 status code:

gatekeeper/pkg/webhook/policy.go

Line 69 in 45e4552

const httpStatusWarning = 299

from gatekeeper.

globalundo avatar globalundo commented on September 27, 2024

@ritazh while preparing a minimal set of ConstraintTemplate, constraint, and request to reproduce the issue, I have managed to locate an exact issue:

  • in all our constants we have a multi-line violation message.
  • a violation is printed correctly when enforcementAction is deny
  • no message is printed if enforcementAction is warn

Here's a minimal example:

---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDeny
metadata:
  name: deny-all-requests-in-namespace
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "default"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDenyMultiline
metadata:
  name: deny-all-requests-in-namespace-multiline
spec:
  enforcementAction: deny
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces:
      - "default"
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: alwaysdenymultiline
spec:
  crd:
    spec:
      names:
        kind: AlwaysDenyMultiline
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package alwaysdeny

        violation[{"msg": "All requests are denied by this policy \n multiline message"}] {
          true
        }
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: alwaysdeny
spec:
  crd:
    spec:
      names:
        kind: AlwaysDeny
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package alwaysdeny

        violation[{"msg": "All requests are denied by this policy."}] {
          true
        }

Now, with enforcementAction:deny

$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo  --restart=Never 
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-requests-in-namespace-multiline] All requests are denied by this policy 
 multiline message
[deny-all-requests-in-namespace] All requests are denied by this policy.

However, with enforcementAction:warn only a single line violation message is present:

$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo  --restart=Never 
Warning: [deny-all-requests-in-namespace] All requests are denied by this policy.

The multi-line warning message did work in previous OPA Gatekeeper version, but I can not pinpoint at after what version this has stopped working.

from gatekeeper.

maxsmythe avatar maxsmythe commented on September 27, 2024

I don't think Gatekeeper has changed any of its violation-reporting-via-webhook logic recently. Is this perhaps related to a Kubernetes or kubectl version change?

from gatekeeper.

stale avatar stale commented on September 27, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

from gatekeeper.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.