search

open-policy-agent / gatekeeper

🐊 Gatekeeper - Policy Controller for Kubernetes
https://open-policy-agent.github.io/gatekeeper/
Apache License 2.0
3.71k stars 760 forks source link

Gatekeeper Does not trigger on run pod #3538

Open lir1ka opened 2 months ago

lir1ka commented 2 months ago

What steps did you take and what happened: [A clear and concise description of what the bug is.]

I am testing gatekeeper in testing cluster. I block access to gatekeeper pods to check what will happen in this situation.

When i try to create namespace:

Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": dial tcp 10.112.0.99:8443: i/o timeout

So, it is normal behavior

But when i use command kubectl run pod: 

user@vmfordeploy:~/terraform-newlife$   kubectl run nginx --image=nginx
pod/nginx created

Gatekeeper did not block this operation and i created pod without any problems. Why?

What did you expect to happen: Gatekeeper block creation of resource.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

sozercan commented 2 months ago

@lir1ka what you are seeing is expected behavior in kubernetes webhooks, and if Gatekeeper controller deployments are not accessible. Please see https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed for further information

lir1ka commented 2 months ago

@sozercan, hello! I Understood, that it is expected behavior (in situation with inability to create namespace). But still i dont understand why i can create pod

JaydipGabani commented 1 month ago

@lir1ka You need to set validatingWebhookFailurePolicy: Fail if using helm, or set failurePolicy: Fail (default is Ignore) for validation.gatekeeper.sh (used for all admission events) webhook - https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5205 - to deny the creation of pod.

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

lir1ka commented 1 month ago

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

@JaydipGabani, Hello! Thank you for your answer. Overall, could you please describe, what check-ignore-label.gatekeeper.sh do? and what is ignore-label?

JaydipGabani commented 1 month ago

@lir1ka This webhook validates namespaces to make sure "only allowed namespaces are using admission.gatekeeper.sh/ignore label label to prevent Gatekeeper validation webhook from being called by api-server for respective namespace". Here is some more information on the same. For more information/context - here is the pr - https://github.com/open-policy-agent/gatekeeper/pull/350