Open malexander2012 opened 1 week ago
Thanks for reporting the issue.
Is the desire to block workload resources that generate pod resources? if so, does what you have work with gator test
and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, does gator verify
work as intended?
Thanks for reporting the issue. Is the desire to block workload resources that generate pod resources? if so, does what you have work with
gator test
and does gatekeeper webhook validation work? if you use workload resources (e.g. deployment) as part of the test suite, doesgator verify
work as intended?
The desire is to be able to run the expansionTemplate ONLY on Generated resources by explicitly setting the source: "Generated"
on the constraint.yaml . When i was testing with gator test
it did work the way it should. here's the test I ran:
cat << EOF | gator test -f opa/general/forbidden-sysctls -f opa/general/expansion
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
capabilities:
add:
- SYS_ADMIN
sysctls:
- name: test
value: "1024"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
EOF
apps/v1/Deployment hello: ["k8spspforbiddensysctls"] Message: "[Implied by expand-deployments] The sysctl test is not explicitly allowed, pod: hello-pod. Allowed sysctls: [\"vm.max_map_count\"]"
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values: Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster
https://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove Generated
from the constraint resource, it worked because:
All – the config will apply to both Generated and Original resources. This is the default value.
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values: Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster
https://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove
Generated
from the constraint resource, it worked because:All – the config will apply to both Generated and Original resources. This is the default value.
The source field on the match API, present in the Mutation and Constraint kinds, specifies if the config should match Generated ( i.e. fake) resources, Original resources, or both. The source field is an enum which accepts the following values: Generated – the config will only apply to expanded resources, and will not apply to any real resources on the cluster
https://open-policy-agent.github.io/gatekeeper/website/docs/expansion
In your test suite, the pod yaml is not a fake resource.
When you remove
Generated
from the constraint resource, it worked because:All – the config will apply to both Generated and Original resources. This is the default value.
ok i changed the allowed and disallowed.yaml to a deployment and its still failing:
> gator verify opa/tests/...
--- FAIL: disallowed (0.003s)
unexpected number of violations: got 0 violations but want at least 1: got messages []
--- FAIL: forbidden-sysctls (0.009s)
FAIL opa/tests/forbidden-sysctls/suite.yaml 0.009s
Error: FAIL
allowed.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
sysctls:
- name: vm.max_map_count
value: "242144"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
disallowed.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
capabilities:
add:
- SYS_ADMIN
sysctls:
- name: test
value: "1024"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPForbiddenSysctls
metadata:
name: k8spspforbiddensysctls
spec:
enforcementAction: warn
match:
excludedNamespaces:
- gatekeeper
- kube-system
kinds:
- apiGroups:
- ''
kinds:
- Pod
source: Generated
parameters:
allowedSysctls:
- vm.max_map_count
forbiddenSysctls: []
@ritazh Is there way to inform gator verify
that there is an expansion thats needed?
I don't see it in gator verify
if we were to add it, it would be somewhere here: https://github.com/open-policy-agent/gatekeeper/blob/2af6dfabb4827b86d5d2c696e3d3169d2811806a/pkg/gator/verify/runner.go#L295
to add something like: https://github.com/open-policy-agent/gatekeeper/blob/2af6dfabb4827b86d5d2c696e3d3169d2811806a/pkg/gator/test/test.go#L98
@ritazh - Thank you for your help with this. Then I would like to request this as a feature.
What steps did you take and what happened: I'm using expansionTemplates for the gatekeeper-library policies i'm importing. I'm explicitly setting
spec.match.source: "Generated"
on the constraint.yaml file. I am also using gator verify for testing. I'm having issues where I set the source: "Generated" and my gator verify fails. When i remove source: "Generated" from the constraint.yaml it passes.Failed test:
What did you expect to happen: I expected the
gator verify opa/tests/...
to pass.constraint.yaml:
template.yaml
suite.yaml:
disallowed.yaml:
allowed:
expansionTemplate
kubectl version
): v1.29.4