Closed techiescorner closed 2 years ago
Expected Behavior The admission controller returns an error and blocks resource creation.
Actual Behavior Admission controller passes policy evaluation and creates incompliant resources
Steps to Reproduce the Problem Rego Policy:
https://play.openpolicyagent.org/p/EEOfeSQHFo Playground doesn't show any error to the policy but it is not validating in the Kubernetes
Apply the template and constraint file and then try to create an Ingress with the "nginx.ingress.kubernetes.io/limit-connections" annotations with values other than 5 or 10. It should fail with an error.
Kubernetes Manifest:
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: example-ingress namespace: opa-test annotations: nginx.ingress.kubernetes.io/limit-connections: "8" spec: rules: - host: hello-world.info http: paths: - path: / pathType: Prefix backend: service: name: web port: number: 8080
OPA template file
apiVersion: templates.gatekeeper.sh/v1 kind: ConstraintTemplate metadata: name: k8srequiredlabels namespace: opa spec: crd: spec: names: kind: k8srequiredlabels targets: - target: admission.k8s.gatekeeper.sh rego: | package kubernetes.admission operations = {"CREATE", "UPDATE"} required_annotations = {"nginx.ingress.kubernetes.io/limit-connections": {"5", "10"}, "nginx.ingress.kubernetes.io/limit-rps": {"5"}} violation[{"msg": msg}] { input.request.kind.kind = "Ingress" operations[input.request.operation] required_annotations[key] not input.request.object.metadata.annotations[key] msg := sprintf("Compliance check failed: wrong Rate_limit value provided. Missing annotation %v required", [key]) } violation[{"msg": msg}] { input.request.kind.kind = "Ingress" operations[input.request.operation] possible_values := required_annotations[key] value := input.request.object.metadata.annotations[key] not possible_values[value] msg := sprintf("Compliance check failed: rate_limiting annotation is missing. Bad annotation key-value: %v = %v", [key, value]) }
OPA constraint file
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: k8srequiredlabels metadata: name: nginx-rate-limit spec: match: kinds: - apiGroups: [""] kinds: [""] namespaces: - "opa-test"
Ensure OPA template and constraint is installed
k apply -f template.yaml constrainttemplate.templates.gatekeeper.sh/k8srequiredlabels configured k apply -f constraint.yaml k8srequiredlabels.constraints.gatekeeper.sh/nginx-rate-limit configured
Gatekeeper is running $ k get pods -n gatekeeper-system NAME READY STATUS RESTARTS gatekeeper-audit-6d467bddf-h2ftq 1/1 Running 0 gatekeeper-controller-manager-8fd44f7d8-5cp65 1/1 Running 0 gatekeeper-controller-manager-8fd44f7d8-qzzdx 1/1 Running 0 gatekeeper-controller-manager-8fd44f7d8-tc8m2 1/1 Running 0
Additional Info Using image: openpolicyagent/opa:0.10.5 Using image: openpolicyagent/kube-mgmt:0.6
Hi, Was this issue resolved, could you please guide what was missing. I am trying to create an Azure policy to restrict Ingress controller to Nginx.
Expected Behavior The admission controller returns an error and blocks resource creation.
Actual Behavior Admission controller passes policy evaluation and creates incompliant resources
Steps to Reproduce the Problem Rego Policy:
https://play.openpolicyagent.org/p/EEOfeSQHFo Playground doesn't show any error to the policy but it is not validating in the Kubernetes
Apply the template and constraint file and then try to create an Ingress with the "nginx.ingress.kubernetes.io/limit-connections" annotations with values other than 5 or 10. It should fail with an error.
Kubernetes Manifest:
OPA template file
OPA constraint file
Ensure OPA template and constraint is installed
k apply -f template.yaml constrainttemplate.templates.gatekeeper.sh/k8srequiredlabels configured k apply -f constraint.yaml k8srequiredlabels.constraints.gatekeeper.sh/nginx-rate-limit configured
Gatekeeper is running $ k get pods -n gatekeeper-system NAME READY STATUS RESTARTS
gatekeeper-audit-6d467bddf-h2ftq 1/1 Running 0
gatekeeper-controller-manager-8fd44f7d8-5cp65 1/1 Running 0
gatekeeper-controller-manager-8fd44f7d8-qzzdx 1/1 Running 0
gatekeeper-controller-manager-8fd44f7d8-tc8m2 1/1 Running 0
Additional Info Using image: openpolicyagent/opa:0.10.5 Using image: openpolicyagent/kube-mgmt:0.6