source:generated within constraint.yaml causes gator verify to fail about gatekeeper HOT 7 OPEN

Thanks for reporting the issue.
Is the desire to block workload resources that generate pod resources? if so, does what you have work with gator test and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, does gator verify work as intended?

from gatekeeper.

Thanks for reporting the issue. Is the desire to block workload resources that generate pod resources? if so, does what you have work with gator test and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, does gator verify work as intended?

The desire is to be able to run the expansionTemplate ONLY on Generated resources by explicitly setting the source: "Generated" on the constraint.yaml . When i was testing with gator test it did work the way it should. here's the test I ran:

cat  << EOF | gator test -f opa/general/forbidden-sysctls -f opa/general/expansion
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      securityContext:
        capabilities:
          add:
          - SYS_ADMIN
        sysctls:
        - name: test
          value: "1024"
      containers:
        - name: hello
          image: busybox
          command: ["sh", "-c"]
          args:
            - sleep 36010
EOF
apps/v1/Deployment hello: ["k8spspforbiddensysctls"] Message: "[Implied by expand-deployments] The sysctl test is not explicitly allowed, pod: hello-pod. Allowed sysctls: [\"vm.max_map_count\"]"

from gatekeeper.

The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster

https://open-policy-agent.github.io/gatekeeper/website/docs/expansion

In your test suite, the pod yaml is not a fake resource.

When you remove Generated from the constraint resource, it worked because:

All – the config will apply to both Generated and Original resources. This is the default value.

from gatekeeper.

The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster

https://open-policy-agent.github.io/gatekeeper/website/docs/expansion

In your test suite, the pod yaml is not a fake resource.

When you remove Generated from the constraint resource, it worked because:

All – the config will apply to both Generated and Original resources. This is the default value.

The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster

https://open-policy-agent.github.io/gatekeeper/website/docs/expansion

In your test suite, the pod yaml is not a fake resource.

When you remove Generated from the constraint resource, it worked because:

All – the config will apply to both Generated and Original resources. This is the default value.

ok i changed the allowed and disallowed.yaml to a deployment and its still failing:

> gator verify opa/tests/... 
    --- FAIL: disallowed        (0.003s)
        unexpected number of violations: got 0 violations but want at least 1: got messages []
--- FAIL: forbidden-sysctls     (0.009s)
FAIL    opa/tests/forbidden-sysctls/suite.yaml  0.009s

Error: FAIL

allowed.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      securityContext:
        sysctls:
        - name: vm.max_map_count
          value: "242144"
      containers:
        - name: hello
          image: busybox
          command: ["sh", "-c"]
          args:
            - sleep 36010

disallowed.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello
  template:
    metadata:
      labels:
        app: hello
    spec:
      securityContext:
        capabilities:
          add:
          - SYS_ADMIN
        sysctls:
        - name: test
          value: "1024"
      containers:
        - name: hello
          image: busybox
          command: ["sh", "-c"]
          args:
            - sleep 36010

constraint.yaml

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
  name: k8spspforbiddensysctls
spec:
  enforcementAction: warn
  match:
    excludedNamespaces:
      - gatekeeper
      - kube-system
    kinds:
      - apiGroups:
          - ''
        kinds:
          - Pod
    source: Generated
  parameters:
    allowedSysctls:
      - vm.max_map_count
    forbiddenSysctls: []

from gatekeeper.

@ritazh Is there way to inform gator verify that there is an expansion thats needed?

from gatekeeper.

I don't see it in gator verify if we were to add it, it would be somewhere here:

from gatekeeper.

@ritazh - Thank you for your help with this. Then I would like to request this as a feature.

from gatekeeper.