search

pulumi / pulumi-kubernetes

A Pulumi resource provider for Kubernetes to manage API resources and workloads in running clusters
https://www.pulumi.com/docs/reference/clouds/kubernetes/
Apache License 2.0
408 stars 117 forks source link

Pulumi crossguard policy on Helm chart: config and args.props of validateResourceOfType callback are empty objects #2144

Open awoimbee opened 2 years ago

awoimbee commented 2 years ago

What happened?

https://github.com/pulumi/pulumi-kubernetes/issues/2057#issuecomment-1217858853

Steps to reproduce

new PolicyPack("kubernetes-typescript", {
  policies: [{
    name: "helm-charts-are-up-to-date",
    description: "Helm charts deployments should use the latest version.",
    enforcementLevel: "advisory",
    validateResource: validateResourceOfType(k8s.helm.v3.Chart, async (config, args, reportViolation) => {
      reportViolation(`AAAH ${config} '${Object.keys(args.props)}' '${Object.getOwnPropertyNames(config)}' '${Object.getPrototypeOf(config) === Object.prototype}' '${args.props.fetchOpts?.repo}'`);
    }),
  }],
});

Expected Behavior

    [advisory]  kubernetes-typescript v0.0.1  helm-charts-are-up-to-date (kubernetes:helm.sh/v3:Chart: redis)
    Helm charts deployments should use the latest version.
    AAAH [object Object] ''{lots of text here}'' '{lots of text here}' 'false' 'https://charts.bitnami.com/bitnami'

Actual Behavior

    [advisory]  kubernetes-typescript v0.0.1  helm-charts-are-up-to-date (kubernetes:helm.sh/v3:Chart: redis)
    Helm charts deployments should use the latest version.
    AAAH [object Object] '' '' 'true' 'undefined'

Output of pulumi about

CLI
Version      3.38.0
        "@pulumi/kubernetes": "^3.20.5",
        "@pulumi/policy": "^1.4.0",

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

stack72 commented 2 years ago

Hi @awoimbee

I apologise for the issues here - I am going to mark this as a high priority issue internally so that we can get this taken care of for you

Paul

stack72 commented 2 years ago

Hi @awoimbee

So after speaking to other people in the team, it seems that it wasn't correct suggesting that we could fix the issue and turn this into a policy. Input properties of component resources are not currently available to be inspected from policies - the work to track that is https://github.com/pulumi/pulumi-policy/issues/140

The way that component resources are currently designed are talked about - https://github.com/pulumi/pulumi/pull/2296#issuecomment-447709691

I am really sorry for misleading you in this respect :/ I will make sure that we learn to not allow this to happen again and will look at how we can unblock this functionality

If you'd like to talk more about this, I'd happily facilitate that

Paul

awoimbee commented 2 years ago

Thanks for the very professional response. For now I'm using the open source version so I'm just grateful to be able to use pulumi. But as I understand, crossguard policies are part of the "Business Critical" offering, don't let your clients have the same issues as me !

stack72 commented 2 years ago

Hi @awoimbee

Thank you for the understanding here - we are talking about this internally to see what we can do

Paul