search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.72k stars 765 forks source link

objectTracker: Unexpected observations prevent tracker from reaching satisfied state #1023

Closed shomron closed 3 years ago

shomron commented 3 years ago

objectTracker supports out-of-order expectations and observations. However, if an unexpected observation is made and never subsequently expected, the tracker will never reach its "satisfied" state.

Is this expected behavior or a bug?

Consider the following test which currently fails:

// Verify that unexpected observations do not prevent the tracker from reaching its satisfied state.
func Test_ObjectTracker_Unexpected_Does_Not_Prevent_Satisfied(t *testing.T) {
    g := gomega.NewWithT(t)
    ot := newObjTracker(schema.GroupVersionKind{})
    ct := makeCT("test-ct")
    ot.Observe(ct)
    g.Expect(ot.Satisfied()).NotTo(gomega.BeTrue(), "unpopulated tracker should not be satisfied")

    // ** Do not expect the above observation **

    ot.ExpectationsDone()
    g.Expect(ot.Satisfied()).To(gomega.BeTrue(), "should have been satisfied")
}

This is currently due to how needMutate is calculated in objectTracker.Satisfied.

shomron commented 3 years ago

@maxsmythe @brycecr I'd love your input on this!

brycecr commented 3 years ago

Seems like a bug in our book. @julianKatz would you be able to take a look?