gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Gatekeeper violation msg requirements different from standard OPA

Open rbkaspr opened this issue 3 years ago • 7 comments

What steps did you take and what happened:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  creationTimestamp: null
  name: namespacerequireowner
spec:
  crd:
    spec:
      names:
        kind: NamespaceRequireOwner
  targets:
  - libs:
    - |-
      package lib.core
      default is_gatekeeper = false
      is_gatekeeper {
        has_field(input, "review")
        has_field(input.review, "object")
      }
      resource = input.review.object {
        is_gatekeeper
      }
      resource = input {
        not is_gatekeeper
      }
      apiVersion = resource.apiVersion
      name = resource.metadata.name
      kind = resource.kind
      labels = resource.metadata.labels
      annotations = resource.metadata.annotations
      gv := split(apiVersion, "/")
      group = gv[0] {
        contains(apiVersion, "/")
      }
      group = "core" {
        not contains(apiVersion, "/")
      }
      version := gv[count(gv) -1]
      has_field(obj, field) {
        not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
      }
      missing_field(obj, field) = true {
        obj[field] == ""
      }
     missing_field(obj, field) = true {
        not has_field(obj, field)
      }
    rego: |-
      package namespace_require_owner
      import data.lib.core
      violation[msg] {
        missing_label(core.labels)
        msg = sprintf("%s: Namespace is missing the owner label", [core.name])
      }
      missing_label(labels) {
        not labels.owner
      }
    target: admission.k8s.gatekeeper.sh
status: {}

kubectl get constrainttemplate.templates.gatekeeper.sh/namespacerequireowner -ojsonpath='{.status}' | jq
{
  "byPod": [
    {
      "errors": [
        {
          "code": "ingest_error",
          "message": "Could not ingest Rego: 2 errors occurred:\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:32: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:53: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string"
        }
      ],
      "id": "gatekeeper-audit-84964f86f-rhcnt",
      "observedGeneration": 1,
      "operations": [
        "audit",
        "status"
      ],
      "templateUID": "1b5c2d6a-447f-4dff-9566-53a7ce22b8b1"
    },
    {
      "errors": [
        {
          "code": "ingest_error",
          "message": "Could not ingest Rego: 2 errors occurred:\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:32: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:53: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string"
        }
      ],
      "id": "gatekeeper-controller-manager-5bb5f9b4dd-8sk6q",
      "observedGeneration": 1,
      "operations": [
        "webhook"
      ],
      "templateUID": "1b5c2d6a-447f-4dff-9566-53a7ce22b8b1"
    },
    {
      "errors": [
        {
          "code": "ingest_error",
          "message": "Could not ingest Rego: 2 errors occurred:\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:32: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:53: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string"
        }
      ],
      "id": "gatekeeper-controller-manager-5bb5f9b4dd-9t7j6",
      "observedGeneration": 1,
      "operations": [
        "webhook"
      ],
      "templateUID": "1b5c2d6a-447f-4dff-9566-53a7ce22b8b1"
    },
    {
      "errors": [
        {
          "code": "ingest_error",
          "message": "Could not ingest Rego: 2 errors occurred:\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:32: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string\nhooks[\"admission.k8s.gatekeeper.sh\"].hooks_builtin:53: rego_type_error: undefined ref: r.msg\n\tr.msg\n\t^\n\thave: string"
        }
      ],
      "id": "gatekeeper-controller-manager-5bb5f9b4dd-d7hvt",
      "observedGeneration": 1,
      "operations": [
        "webhook"
      ],
      "templateUID": "1b5c2d6a-447f-4dff-9566-53a7ce22b8b1"
    }
  ],
  "created": true
}

What did you expect to happen: Based on just looking at standard OPA, I would expect violation[msg] to be a perfectly functional rule signature, but Gatekeeper requires a struct containing, at minimum, and msg key. Making that requirement much more explicit in the Gatekeeper docs would help, but it would be nice if Gatekeeper was able to handle normal OPA syntax rule signatures, if only to ease the transition as more people convert their existing OPA policy libraries over to running on Gatekeeper

Environment:

  • Gatekeeper version: v3.3.0
  • Kubernetes version: (use kubectl version): v1.18.9-eks-d1db3c

rbkaspr avatar Mar 09 '21 13:03 rbkaspr

Thanks for the feedback!

IIRC standard OPA policies use rule headers like:

deny[msg]

would keeping that same rule header but adding the Gatekeeper-specific:

violation[{"msg": msg}] {
   deny[msg]
}

work for migrating without the need to refactor?

The reason for using an object-based return value was to leave room for returning machine-readable data so that we left open the possibility for things like automated remediation in the future.

maxsmythe avatar Mar 10 '21 02:03 maxsmythe

Thanks for the response!

As it turns out, your suggested modification works like a charm. If it's important for planned future features of Gatekeeper, then I'm totally on board with the response structure as it stands, I would just like to see it called out a little more clearly on the documentation page for the benefit of those migrating from using standard OPA to Gatekeeper.
Same with the requirement for violation instead of deny, it's a convention you can pick up from the examples, but having it be called out more explicitly will probably help prevent confusion from those who may expect that they can just pick up their existing policy libraries from OPA and drop them into Gatekeeper without modification.
I'd be happy to contribute back a docs page to that effect, if need be.

rbkaspr avatar Mar 10 '21 10:03 rbkaspr

This is documented in https://github.com/open-policy-agent/frameworks/tree/master/constraint#rule-schema but it's a very obscure location. This should be reflected in Gatekeeper docs too.

sozercan avatar Mar 10 '21 17:03 sozercan

Yeah, buried in the docs pages of a completely different repo isn't exactly easy to find for people just getting started with Gatekeeper, especially if they don't also have a ton of experience with OPA (like a certain me).

If we could get that page replicated to the Gatekeeper repo, that would close this issue nicely.

rbkaspr avatar Mar 10 '21 18:03 rbkaspr

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 23 '22 08:07 stale[bot]

This still seems relevant

maxsmythe avatar Jul 30 '22 03:07 maxsmythe

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 01 '22 22:10 stale[bot]