search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.61k stars 739 forks source link

generateVap errors for rego-only constraint templates in audit/controller pod logs with 3.17 #3516

Closed martijnvdp closed 1 week ago

martijnvdp commented 2 weeks ago

What steps did you take and what happened: [A clear and concise description of what the bug is.] seeing generateVap errors for all my rego-only constraint templates in audit/controller pod logs after updating gatekeeper to 3.17.0

{"level":"error","ts":1724841820.2606826,"logger":"controller","msg":"generateVap error","kind":"ConstraintTemplate","process":"constraint_template_controller","template_name":"k8sallowedecrrepos","error":"K8sNativeValidation code not defined","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:261\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:222"}

What did you expect to happen: i would not expect these errors with this new gatekeeper version as i'm using rego only policies and gatekeeper only to generate vap for cel k8snative engine policies not for rego policies

Anything else you would like to add: happens with all my templates most of them are pulled from the policy library , ie: https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/pod-security-policy/host-namespaces/template.yaml

Environment:

martijnvdp commented 2 weeks ago

this https://github.com/open-policy-agent/gatekeeper/blob/1b2e626653b375f3957ca48616508681229501cf/vendor/github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/k8scel/schema/schema.go#L280 always seem to return the error "K8sNativeValidation code not defined" when a template only has Rego

called from here https://github.com/open-policy-agent/gatekeeper/blob/1b2e626653b375f3957ca48616508681229501cf/pkg/controller/constrainttemplate/constrainttemplate_controller.go#L381