Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gator does not return the same status code for the same given context #3772

Closed
WnP opened this issue Jan 10, 2025 · 0 comments · Fixed by open-policy-agent/frameworks#510 · May be fixed by #3783
Closed

Gator does not return the same status code for the same given context #3772

WnP opened this issue Jan 10, 2025 · 0 comments · Fixed by open-policy-agent/frameworks#510 · May be fixed by #3783
Labels
bug Something isn't working

Comments

@WnP
Copy link

WnP commented Jan 10, 2025

What steps did you take and what happened:
If you provide 2 constraints with the same metadata.name and same spec.match but with different spec.enforcementActions, then the return code is either 0 or 1.

For example, given the following resources:

# resources.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenyname
spec:
  crd:
    spec:
      names:
        kind: K8sDenyName
      validation:
        openAPIV3Schema:
          properties:
            invalidName:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenynames
        violation[{"msg": msg}] {
          input.review.object.metadata.name == input.parameters.invalidName
          msg := sprintf("The name %v is not allowed", [input.parameters.invalidName])
        }
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenylabel
spec:
  crd:
    spec:
      names:
        kind: K8sDenyLabel
      validation:
        openAPIV3Schema:
          properties:
            invalidName:
              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenylabel
        violation[{"msg": msg}] {
          input.review.object.metadata.labels.something == input.parameters.invalidName
          msg := sprintf("The label %v is not allowed", [input.parameters.invalidName])
        }
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyName
metadata:
  name: default
spec:
  enforcementAction: warn
  match:
    kinds:
      - kinds: ["Namespace"]
  parameters:
    invalidName: "policy-violation"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyLabel
metadata:
  name: default
spec:
  enforcementAction: deny
  match:
    kinds:
      - kinds: ["Namespace"]
  parameters:
    invalidName: "policy-violation"
---
apiVersion: v1
kind: Namespace
metadata:
  name: policy-violation
  labels:
    something: 'allowed'

We expect the label to be allowed and the name to be denied, but since K8sDenyName.default enforcement action is warn then gator should return 0, not 1.

But it's not always the case:

$> for i in $(seq 10); do gator test -f resources.yaml; echo "return: $?"; done                                                                                                                                                                                                                                                           
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 0
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 0

What did you expect to happen:

Gator should return always return 0 in this case.

Anything else you would like to add:

If the constraint names are different, it works as expected.

Environment:

  • Gatekeeper version: v3.19.0-beta.1.0.20241230191800-78733fac9edf
  • Kubernetes version: (use kubectl version): NA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
1 participant