gatekeeper
gatekeeper copied to clipboard
Provide better error messages for ConstraintTemplate compilation failures
Right now if something goes wrong when compiling ConstraintTemplates, users get an opaque The request is invalid
. This doesn't help with debugging or give anything to go on.
While users could turn to gator verify
and create a suite to get a better error message, this is arduous. The ValidatingWebhook should instead provide a better response.
My guess is that this happens since we now do a full test compile in the ValidatingWebhook instead of only parsing the Rego, so we catch more errors in the ValidatingWebhook.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
I'm wondering if this is still an issue actually. Today, if I try to add a ConstraintTemplate
with compilation issues I can get an error back that's fairly descriptive:
eg1 -- mistype
admission webhook "validation.gatekeeper.sh" denied the request: invalid ConstraintTemplate: 1 error occurred: template:26: rego_parse_error: unexpected : token: expected \n or ; or }
special_variable : = input.review.object.metadata.namespace
^
eg2 -- unsafe var
admission webhook "validation.gatekeeper.sh" denied the request: unable to compile modules: 1 error occurred: template:26: rego_unsafe_var_error: var special_variable is unsafe
@maxsmythe I may be missing some context here or misunderstanding the issue.
Probably just close it... not enough information to reproduce and may have been fixed by library upgrades.