search

GoogleCloudPlatform / policy-library

A library of constraint templates and sample constraints for Constraint Framework tools
Apache License 2.0
223 stars 128 forks source link

Constraint Template naming requirement #92

Open t12g opened 5 years ago

t12g commented 5 years ago

When trying to feed the template yaml files to a Kubernetes cluster with Gatekeeper installed, it got denied by the Gatekeeper admission controller.

Sample error message:

Error from server (Template's name gcp-always-violates-v1 is not equal to the CRD's plural name: gcpalwaysviolatesconstraintsv1): error when creating "config-validator/dev/policy-library/policies/templates/gcp_always_violates_v1.yaml": admission webhook "validation.gatekeeper.sh" denied the request: Template's name gcp-always-violates-v1 is not equal to the CRD's plural name: gcpalwaysviolatesconstraintsv1

Looks like Gatekeeper is requiring that the constraint template's name (under metadata) needs to be the same as the CRD's plural name. This convention is not enforced in policy library today.

t12g commented 5 years ago

@maxsmythe Is this naming convention expected to stay going forward?

maxsmythe commented 5 years ago

I think it's nice to enforce some consistency. Ideally I'd like to automate the naming

yunus commented 4 years ago

I have a pull request at least to create starting point. https://github.com/forseti-security/policy-library/pull/193