Open flavio opened 4 hours ago
I've created a CEL-based policy that targets a sub-resource. The policy fails at runtime with the following error message:
wrong object format: metadata not found in object
The policy is evaluated without failing
I've created the following policy:
apiVersion: policies.kubewarden.io/v1 kind: AdmissionPolicy metadata: annotations: name: "block-kubectl-exec" spec: module: ghcr.io/kubewarden/policies/cel-policy:v1.2.1 settings: variables: - name: "replicas" expression: "object.spec.replicas" validations: - expression: "request.name == 'alpine'" message: "cannot connect to pods with label flavio set" rules: - apiGroups: [""] apiVersions: ["v1"] operations: ["CONNECT"] resources: ["pods/exec", "pods/attach", "pods/portforward"] backgroundAudit: false
Then run the following command:
kubectl exec -ti alpine -- ash
This will fail with the following error:
Error from server: admission webhook "namespaced-default-block-kubectl-exec.kubewarden.admission" denied the request: wrong object format: metadata not found in object
The CEL code fails because the admission object is not the usual one:
{ "kind": "AdmissionReview", "apiVersion": "admission.k8s.io/v1", "request": { "uid": "ab70f6b0-5d91-42df-96d4-747b2153e7df", "kind": { "group": "", "version": "v1", "kind": "PodExecOptions" }, "resource": { "group": "", "version": "v1", "resource": "pods" }, "subResource": "exec", "requestKind": { "group": "", "version": "v1", "kind": "PodExecOptions" }, "requestResource": { "group": "", "version": "v1", "resource": "pods" }, "requestSubResource": "exec", "name": "alpine", "namespace": "default", "operation": "CONNECT", "userInfo": { "groups": [ "system:masters", "system:authenticated" ], "username": "minikube-user" }, "object": { "apiVersion": "v1", "command": [ "ash" ], "container": "main", "kind": "PodExecOptions", "stdin": true, "stdout": true, "tty": true }, "dryRun": false } }
Kubewarden 1.17, running the latest stable release of the CEL policy
No response
Is there an existing issue for this?
Current Behavior
I've created a CEL-based policy that targets a sub-resource. The policy fails at runtime with the following error message:
Expected Behavior
The policy is evaluated without failing
Steps To Reproduce
I've created the following policy:
Then run the following command:
This will fail with the following error:
The CEL code fails because the admission object is not the usual one:
Environment
Anything else?
No response