gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

excludedNamespaces wildcard with more than one dashes

Open dgabrysch opened this issue 1 year ago • 5 comments

While trying to create a Constraint we saw that "excludedNamespaces" does not appear to exclude namespaces with more than one dash and wildcards combined, e.g.

    excludedNamespaces:
      - *-test-*

What did you expect to happen: We expect to have namespaces like user1-test-randomstring being excluded which does not work. Namespaces, e.g. user1-randomstring, with "excludedNamespaces" with "randomstring-*" are getting excluded.

Environment:

  • Gatekeeper version: One of the later ones
  • Kubernetes version: (use kubectl version): Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.2", GitCommit:"31aa3e89a926f81aa0af30320ffcb71acadf3015", GitTreeState:"clean", BuildDate:"2023-04-07T07:26:22Z", GoVersion:"go1.19.6", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.11+1485cc9", GitCommit:"0c8cb213485c84deb0230cbefa34bf7f1c311418", GitTreeState:"clean", BuildDate:"2023-07-04T08:59:21Z", GoVersion:"go1.19.10 X:strictfipsruntime", Compiler:"gc", Platform:"linux/amd64"}

dgabrysch avatar Oct 05 '23 09:10 dgabrysch

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 04 '23 09:12 stale[bot]

user1-randomstring doesn't match randomstring-*. Does this work if you specify *-randomstring for the wildcard?

The *-test-* example should work against user1-test-randomstring. Can you confirm that specific pairing does not work?

Is k8s random name generation involved (e.g. how pod names are generated)?

Relevant code:

https://github.com/open-policy-agent/gatekeeper/blob/c0e231ac7a903d98bc3d89c22476670516874fbe/pkg/wildcard/wildcard.go#L17-L41

maxsmythe avatar Dec 06 '23 00:12 maxsmythe

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Feb 04 '24 02:02 stale[bot]

Somehow I did not see the notification. The "-test-" example did not work, this was why I created the issue. Since it is just trimming I guess it matches "-test-" then which is not the desired behavior.

dgabrysch avatar Feb 04 '24 09:02 dgabrysch

It should be a "contains" match, so any namespace with "-test-" as a substring should match.

Can you verify this behavior is still broken with a newer release and give the Gatekeeper version?

If it is still broken, can you give an example constraint, template, and resource that should be exempt but is throwing a violation?

maxsmythe avatar Feb 07 '24 02:02 maxsmythe

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Apr 09 '24 23:04 stale[bot]