gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Gatekeeper policy not working and getting error

Open om3171991 opened this issue 3 years ago • 7 comments

What steps did you take and what happened: Hey Team

Trying out to create runAsNonRoot PSP policy for Kubernetes cluster but policies are not getting applied. Please find manifest files : - https://github.com/om3171991/OPAGatekeeperIssue/blob/main/k8sManifest.yaml

Pods are getting created without any violation although violation exist as runAsNonRoot is set to false in pod manifest.

What did you expect to happen: Expectation : when we create privileged pod it should not allow to create nginx pod

Environment:

Gatekeeper version = 3.2 Kubernetes version = 1.18.6

om3171991 avatar Jun 29 '21 12:06 om3171991

@grosser @alban @halvards @rajatvig can anyone help me to resolve the above issue please

om3171991 avatar Jun 29 '21 12:06 om3171991

The main issue is that input.object should be input.review.object

Also, constraints and templates are cluster scoped resources, so metadata.namespace should not be populated.

maxsmythe avatar Jun 30 '21 01:06 maxsmythe

@maxsmythe - Thanks for response but still it is not working. Changed

  1. input.object to input.review.object (Updated)
  2. metadata.namespace : if we not put this then it will create in default namespace which is not allowed in some org to create any resources with default namespace.

om3171991 avatar Jun 30 '21 05:06 om3171991

Is the constraint installed? Check by running kubectl get constraint

maxsmythe avatar Jun 30 '21 18:06 maxsmythe

Also, if you can show the status of the constraint and template by running kubectl get with the -o yaml flag.

maxsmythe avatar Jun 30 '21 18:06 maxsmythe

We already have a policy for this in the library, have you tried that? https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/users

sozercan avatar Jul 01 '21 03:07 sozercan

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 23 '22 06:07 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 11 '22 02:10 stale[bot]

Closing as policy exists in library. Please feel to re-open if this not the case.

sozercan avatar Oct 12 '22 23:10 sozercan