Comments (4)
jalseth
commented on May 13, 2024
1
@dulltz If you don't use the parameters functionality, you can just remove it from your lib.core so it won't be included in the generated templates. Otherwise, you can open an issue in the upstream project to remove that hardcoded value.
from konstraint.
jalseth
commented on May 13, 2024
This appears to be a case of two somewhat opinionated tools disagreeing. Konstraint and its libraries were built explicitly to allow for creating policies that could be tested locally with Conftest and then deployed to Gatekeeper without any changes. In order to emulate Gatekeeper's parameters functionality with Conftest, we must set core.parameters to data.parameters when the policy is evaluated outside of Gatekeeper. Of course, when running in Gatekeeper data.parameters is never actually referenced.
That validation tool appears to perform static analysis for validation and then attempts to output the Gatekeeper resources. However, when it attempts to create the ConstraintTemplate, its upstream parsing logic is hardcoded to only allow references that start with data.lib. This restriction does not make sense in the context of Konstraint, so these two tools are incompatible in some scenarios, at least until that restriction is lifted on their end.
from konstraint.
dippynark
commented on May 13, 2024
Awesome cheers! Happy this isn't a Konstraint issue (after understand Rego a bit better now and with that explanation) -- I have worked around this for now by using the commit of Konstraint just before #80 but hopefully that hardcoded restriction can be removed from OPA at some point
from konstraint.
dulltz
commented on May 13, 2024
@dippynark @jalseth
After all, how do you work around this issue?
I would like to know if there is a better solution than manually removing the data.parameters from the generated ConstraintTemplate.
Now I make the following changes every time after running konstraint create.
$ git diff
diff --git a/constraints/overlays/staging/template_ApplicationTenant.yaml b/constraints/overlays/staging/template_ApplicationTenant.yaml
index d01f144..be187cc 100755
--- a/constraints/overlays/staging/template_ApplicationTenant.yaml
+++ b/constraints/overlays/staging/template_ApplicationTenant.yaml
@@ -57,10 +57,6 @@ spec:
is_gatekeeper
}
- parameters = data.parameters {
- not is_gatekeeper
- }
-
has_field(obj, field) {
not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
}from konstraint.
Related Issues (20)
- Merge duplicate matcher annotations HOT 2
- Unexpected match.kinds generated when matching multiple apiGroups HOT 2
- Imports of specific rule from module not supported HOT 2
- Generate descriptions for parameters HOT 2
- Input parameters verification ignores assignment rules HOT 9
- Use OPA Rego rich metadata instead of custom @annotations HOT 3
- Allow defining object parameters HOT 2
- Provide a conversion tool from old annotations to OPA rich metadata annotations
- Legacy parameters warning is generated even for new style parameters HOT 1
- Remove legacy annotations support and refactor
- Migrate to PSS HOT 1
- Flag to generate templates to v1 from v1beta1 HOT 2
- Allow skipping creation of ConstraintTemplates entirely HOT 1
- Allow to add metadata like annotations to constraint automatically HOT 3
- Templates and Constraint files are not in CamelCasing after running konstraint create HOT 5
- Build binary for linux/arm64 HOT 1
- Lint examples with regal HOT 1
- containerdenyescalation HOT 2
- No arm64 docker image for konstraint HOT 1
- Documentation unclear
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konstraint.