search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.72k stars 765 forks source link

gator: null initContainers combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). #3463

Open zmedico opened 4 months ago

zmedico commented 4 months ago

What steps did you take and what happened: With gator a null initContainers combined with securityContext MustNotExist pathTest triggers this error:

$ gator expand < <(yq -c . expansion-templates.yaml; yq -c . tetrisdefaultsecuritycontext-init.yaml; yq -c . cilium-dnsproxy_daemonset.yaml) error expanding resources: error expanding resource cilium-dnsproxy: failed to mutate resultant resource cilium-dnsproxy-pod: mutation caaa4af9-4739-476a-9d3b-052fa2de87d9 for mutator Assign.mutations.gatekeeper.sh /tetrisdefaultsecuritycontext-init failed for Pod kube-system cilium-dnsproxy-pod: mismatch between path entry (type: List) and received object (type: ). Path: [name: *]

gator-yaml-input.zip

This is the mutation which interacts badly with the null initContainers (also included in the attached zip file):

---
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
  name: tetrisdefaultsecuritycontext-init
spec:
  applyTo:
  - groups:
    - ""
    kinds:
    - Pod
    versions:
    - v1
  location: spec.initContainers[name:*].securityContext
  parameters:
    assign:
      value:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        privileged: false
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
    pathTests:
    - condition: MustNotExist
      subPath: spec.initContainers[name:*].securityContext

What did you expect to happen: Maybe it could behave as though the initContainers is missing when it is set to null.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

stale[bot] commented 2 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.