"ENFORCEMENT-ACTION" for Constraints is empty when not specified

[willbeason]

For example:

uniqueingresshost$ kubectl get k8suniqueingresshost.constraints.gatekeeper.sh 
NAME                  ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
unique-ingress-host                        0

This can lead to confusion about what happens when such Constraints are violated. The above output should show "deny"

Fortunately this is just how information is displayed with kubectl get and does not have any functional impact.

[ritazh]

@willbeason Thanks for raising this. A long time ago we made the decision to default to deny if there's no explicit enforcement action provided in the Constraint request. https://github.com/open-policy-agent/gatekeeper/blob/c6d6b8418ff90a01b34fc5df045b92ef01156412/pkg/util/enforcement_action.go#L50-L51

Do we want to set this default value on constraint CREATE?

[willbeason]

I like that idea

[maxsmythe]

Can we register a default value in the CRD?

https://github.com/open-policy-agent/frameworks/blob/0684e78d7c329118a2edb2c2e46e4a077f269abf/constraint/pkg/apis/templates/v1/constrainttemplate_types.go#L52

[willbeason]

Should be doable with // +kubebuilder:default:=deny

[maxsmythe]

Oh, except constraint CRDs are generated from the CF, so we'd need to code the default directly into the JSONSchema, I think?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[JaydipGabani]

@sozercan please assign this to me

[maxsmythe]

@sozercan Do we know how this might interact with the design you're working on for per-target enforcement actions?