Closed linus-astrom closed 3 months ago
Only that particular constraint? Found a chart setting but I believe it applies widely.
Only that particular constraint? Found a chart setting but I believe it applies widely.
Yes, I would like it to be only the specified constraint as its the one causing problems.
Unable to reproduce this.
Per the validating webhook configuration, this policy should not be involved in deletions at all.
We have found that the Gatekeeper update
operation can be used as delete
operation under specific circumstances.
For example with the NetworkPolicy constraint, If its set to deny
and you have a Deployment and a NetworkPolicy for that Deployment and you delete the NetworkPolicies, then you can normally delete the Deployment afterwards.
But if you have the same situation and the only change is the Deployment uses a finalizer.
Then after you delete the NetworkPolicy, you will not be able to fully delete the Deployment and it will be stuck in pending deletion since the Kubernetes API action for finalizers would edit the key .metadata.deletionTimestamp
or if the delete is fast enough it will be trying to empty out its metadata.finalizers
field. Both actions would be prevented since the update
operation can only be done when a Deployment has a NetworkPolicy which was deleted in this case.
Making the update
operation act as a delete
operation for this Gatekeeper constraint.
Description
Change this Gatekeeper constraint to no longer activate on delete actions. As it could otherwise make the Deployments and other Resources be stuck in pending deletion if the associated NetworkPolicy gets deleted before the Deployment is or if both Resources get deleted at the same time depending on the finalizer.
Additional context
No response
Definition of done
opa.networkPolicies.enforcement
set todeny
.