Comments (7)
Thanks for reporting the issue.
Is the desire to block workload resources that generate pod resources? if so, does what you have work with gator test
and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, does gator verify
work as intended?
from gatekeeper.
Thanks for reporting the issue. Is the desire to block workload resources that generate pod resources? if so, does what you have work with
gator test
and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, doesgator verify
work as intended?
The desire is to be able to run the expansionTemplate ONLY on Generated resources by explicitly setting the source: "Generated"
on the constraint.yaml . When i was testing with gator test
it did work the way it should. here's the test I ran:
cat << EOF | gator test -f opa/general/forbidden-sysctls -f opa/general/expansion
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
capabilities:
add:
- SYS_ADMIN
sysctls:
- name: test
value: "1024"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
EOF
apps/v1/Deployment hello: ["k8spspforbiddensysctls"] Message: "[Implied by expand-deployments] The sysctl test is not explicitly allowed, pod: hello-pod. Allowed sysctls: [\"vm.max_map_count\"]"
from gatekeeper.
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster
https://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove Generated
from the constraint resource, it worked because:
All – the config will apply to both Generated and Original resources. This is the default value.
from gatekeeper.
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the clusterhttps://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove
Generated
from the constraint resource, it worked because:All – the config will apply to both Generated and Original resources. This is the default value.
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values:
Generated – the config will only apply to expanded resources, and will not apply to any real resources on the clusterhttps://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove
Generated
from the constraint resource, it worked because:All – the config will apply to both Generated and Original resources. This is the default value.
ok i changed the allowed and disallowed.yaml to a deployment and its still failing:
> gator verify opa/tests/...
--- FAIL: disallowed (0.003s)
unexpected number of violations: got 0 violations but want at least 1: got messages []
--- FAIL: forbidden-sysctls (0.009s)
FAIL opa/tests/forbidden-sysctls/suite.yaml 0.009s
Error: FAIL
allowed.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
sysctls:
- name: vm.max_map_count
value: "242144"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
disallowed.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
capabilities:
add:
- SYS_ADMIN
sysctls:
- name: test
value: "1024"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: k8spspforbiddensysctls
spec:
enforcementAction: warn
match:
excludedNamespaces:
- gatekeeper
- kube-system
kinds:
- apiGroups:
- ''
kinds:
- Pod
source: Generated
parameters:
allowedSysctls:
- vm.max_map_count
forbiddenSysctls: []
from gatekeeper.
@ritazh Is there way to inform gator verify
that there is an expansion thats needed?
from gatekeeper.
I don't see it in gator verify
if we were to add it, it would be somewhere here:
gatekeeper/pkg/gator/verify/runner.go
Line 295 in 2af6dfa
to add something like:
gatekeeper/pkg/gator/test/test.go
Line 98 in 2af6dfa
from gatekeeper.
@ritazh - Thank you for your help with this. Then I would like to request this as a feature.
from gatekeeper.
Related Issues (20)
- New example for location value when using complex Labels HOT 1
- 404 Helm chart repo not found HOT 4
- Pass additional info in the mutation request to external data provider HOT 2
- Interpolation in mutation hooks for namespace or other parameters HOT 2
- Upgrade Gatekeeper to use Debian 12 Distroless HOT 3
- WebhookConfigurations(mutating and Validating) causing slow pod creation HOT 1
- Can't use Gator cli to verify opa with external_data
- Change chart to only set matchConditions on webhooks when the value parameter is not empty HOT 4
- Support `--log-stats-audit` / `--log-stats-admission` in Helm chart HOT 2
- validation latencies capped at 3 secs even though validatingWebhookTimeoutSeconds set at 5 HOT 2
- gatekeeper max supported qps for a single k8s cluster HOT 2
- doc: looking for external data provider max response size HOT 3
- Add ability to set labels on Deployment
- documentation for maintainer ladder
- Move the obj == oldObject on DELETE logic to the TargetHandler instead of the webhook validation handler
- move emitAdmissionEvents and emitAuditEvents to beta HOT 1
- Pub/Sub for admission events HOT 1
- Cannot retrieve data.inventory data when resources are deleted by triggering namespace deletion HOT 1
- Attribute matching for mutation pathTests HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper.