gatekeeper-library icon indicating copy to clipboard operation
gatekeeper-library copied to clipboard
verified publisher icon open-policy-agent

debuggability

Open part-time-githubber opened this issue 4 years ago • 0 comments

Describe the solution you'd like How do I debug with rego when basics fail?

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

Gatekeeper version: 3.2 Kubernetes version: (use kubectl version): v1.18.9-eks-d1db3c I had a constrainttemplate with this rego

package kubernetes.admission

violation[{"msg": msg}]  {
  input.request.kind.kind == "Pod"
  image := input.request.object.spec.containers[_].image
  value_match(image)
  msg := sprintf("image '%v' comes from untrusted registry", [image])
}

value_match(image) {
  arr := split(image, "/")
  not arr[count(arr)-2] == input.request.object.metadata.namespace
}

Figured out the hard way request should be review for it to work. One of the examples misled I think.

But there was nothing in the logs helping. How can we do this better?

Also this trick to debug would not work because looks like i got a whitespace issue there somehow

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenyall
spec:
  crd:
    spec:
      names:
        kind: K8sDenyAll
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenyall
        violation[{"msg": msg}] {
          msg := sprintf("REVIEW OBJECT: %v", [input.review])
        }

And it would complain error: error parsing template.yaml: error converting YAML to JSON: yaml: line 15: could not find expected ':' Again figured out the hard way!

part-time-githubber avatar Mar 31 '21 00:03 part-time-githubber