Comments (5)
Confirmed the problem with multi-line violation message.
With single-line message it works!
K8S server: v1.28.4
Gatekeeper: openpolicyagent/gatekeeper:v3.17.0
from gatekeeper.
@globalundo can you please share your ConstraintTemplate, constraint, and request that should have returned a warning?
For constraints using warn enforcementAction, gatekeeper should be returning a 299 status code:
gatekeeper/pkg/webhook/policy.go
Line 69 in 45e4552
from gatekeeper.
@ritazh while preparing a minimal set of ConstraintTemplate, constraint, and request to reproduce the issue, I have managed to locate an exact issue:
- in all our constants we have a multi-line violation message.
- a violation is printed correctly when enforcementAction is deny
- no message is printed if enforcementAction is warn
Here's a minimal example:
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDeny
metadata:
name: deny-all-requests-in-namespace
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: AlwaysDenyMultiline
metadata:
name: deny-all-requests-in-namespace-multiline
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
- "default"
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdenymultiline
spec:
crd:
spec:
names:
kind: AlwaysDenyMultiline
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy \n multiline message"}] {
true
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: alwaysdeny
spec:
crd:
spec:
names:
kind: AlwaysDeny
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package alwaysdeny
violation[{"msg": "All requests are denied by this policy."}] {
true
}
Now, with enforcementAction:deny
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [deny-all-requests-in-namespace-multiline] All requests are denied by this policy
multiline message
[deny-all-requests-in-namespace] All requests are denied by this policy.
However, with enforcementAction:warn only a single line violation message is present:
$ kubectl run -i --rm --tty podinfo -n default --image=stefanprodan/podinfo --restart=Never
Warning: [deny-all-requests-in-namespace] All requests are denied by this policy.
The multi-line warning message did work in previous OPA Gatekeeper version, but I can not pinpoint at after what version this has stopped working.
from gatekeeper.
I don't think Gatekeeper has changed any of its violation-reporting-via-webhook logic recently. Is this perhaps related to a Kubernetes or kubectl version change?
from gatekeeper.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper.
Related Issues (20)
- helm chart produces incorrect network policy for controller manager HOT 1
- Gatekeeper constraints not correctly evaluating `PriorityClass` objects HOT 4
- GK mutation and K8s mutating admission policy HOT 1
- Remove alpha flags from values and add conditional checks before setting flags through helm
- Common function to report errors on constraint.status
- Log alpha status for existing alpha features/flags when in use HOT 1
- constraint status error in 3.17.0-rc HOT 3
- Modify Pub/Sub interface to common exporter interface
- Verify that Gatekeeper CRDs are not affected by K8s CABundle validation on CRD
- Assess if Gatekeeper CRs can use Custom Resource Field Selectors
- Move pkg/driver/k8snative from framework
- Unable to find custom azure policy under kubectl get constrainttemplates in AKS cluster
- docs(website): add Alibaba Cloud to the list of managed services using Gatekeeper
- generateVap errors for rego-only constraint templates in audit/controller pod logs with 3.17 HOT 1
- Helm chart - lint failure in templates/gatekeeper-controller-manager-poddisruptionbudget.yaml HOT 1
- Setting non-default image breaks deployment due to release tag mis-match.
- Gatekeeper is not enforcing policy when istio-sidecar-injection is enabled on a namespace HOT 2
- Add CI test to verify lint errors in helm charts
- Gatekeeper Does not trigger on run pod HOT 5
- Unable to deny namespace deletion. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.