gatekeeper
gatekeeper copied to clipboard
open-policy-agent
Resource violates rule but is created
What steps did you take and what happened: [A clear and concise description of what the bug is.]
I have created a rule to block webhook configurations that do not have namespace selectors, unless exempt.
Constraint
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequireWebhookNamespaces
metadata:
name: require-webhook-namespaces
spec:
enforcementAction: deny
match:
scope: "*"
kinds:
- apiGroups: ["admissionregistration.k8s.io"]
kinds: ["ValidatingWebhookConfiguration", "MutatingWebhookConfiguration"]
parameters:
exemptWebhooks: []
Template
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8srequirewebhooknamespaces
spec:
crd:
spec:
names:
kind: K8sRequireWebhookNamespaces
validation:
openAPIV3Schema:
type: object
properties:
exemptWebhooks:
type: array
items: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8srequirewebhooknamespaces
import future.keywords.if
import future.keywords.in
violation[{"msg": msg}] {
not is_exempt(input.review.object.metadata.name)
some webhook in input.review.object.webhooks
not has_selectors(webhook)
msg := sprintf("Webhook missing valid namespace selector: %v", [webhook.name])
}
has_selectors(wh) if {
wh.namespaceSelector
count(wh.namespaceSelector.matchExpressions) > 0
some match in wh.namespaceSelector.matchExpressions
required := {"key", "operator", "values"}
found := object.keys(match)
found == required
}
is_exempt(name) if {
exempt := input.parameters.exemptWebhooks
some webhook in exempt
webhook == name
}
This test resource is still able to be created:
Test Resource
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: test-webhook-admission
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
service:
name: test-webhook-service
path: /validate-tests
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
namespaceSelector: {}
name: testtrigger.example.com
rules:
- apiGroups:
- tests.example.com
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- testtriggers
scope: '*'
sideEffects: None
timeoutSeconds: 10
What did you expect to happen:
I expected the test resource to be denied. It is denied when testing locally with gator:
Gator
$ gator test -f resource.yaml -f constraint.yaml -f template.yaml
admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration test-webhook-admission: ["require-webhook-namespaces"] Message: "Webhook missing valid namespace selector: testtrigger.example.com"
The resource also shows in the Constraint as a violation:
Violation
$ kubectl get k8srequirewebhooknamespaces -o jsonpath='{.items[0].status.violations}' | jq .
[
{
"enforcementAction": "deny",
"group": "admissionregistration.k8s.io",
"kind": "ValidatingWebhookConfiguration",
"message": "Webhook missing valid namespace selector: testtrigger.example.com",
"name": "test-webhook-admission",
"version": "v1"
}
]
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
It seems that the creation event is never evaluated by Gatekeeper. We have several other rules that are correctly being enforced, so I assume it is not a general problem with our Gatekeeper deployment.
Gatekeeper is deployed using the Helm chart and is minimally altered. The rules for the validation webhook are default:
Webhook rules
$ kubectl get ValidatingWebhookConfiguration gatekeeper-validating-webhook-configuration -o jsonpath='{.webhooks[?(@.name=="validation.gatekeeper.sh")].rules}' | jq .
[
{
"apiGroups": [
"*"
],
"apiVersions": [
"*"
],
"operations": [
"CREATE",
"UPDATE"
],
"resources": [
"*",
"pods/ephemeralcontainers",
"pods/exec",
"pods/log",
"pods/eviction",
"pods/portforward",
"pods/proxy",
"pods/attach",
"pods/binding",
"deployments/scale",
"replicasets/scale",
"statefulsets/scale",
"replicationcontrollers/scale",
"services/proxy",
"nodes/proxy",
"services/status"
],
"scope": "*"
}
]
It's entirely possible (or likely) that this is not a bug and I've missed something, but at this point I'm out of ideas.
Environment:
- Gatekeeper version: 3.14.0
- Kubernetes version: (use
kubectl version):
Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9
Kubernetes webhooks cannot evaluate ValidatingWebhookConfiguration/MutatingWebhookConfiguration objects.
ValidatingAdmissionPolicy might be able to, but there is a similar problem there (VAP objects cannot validate other VAP objects).
Violations should show up in audit.
K8s doc source: see the docstring for the rules field here: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#validatingwebhook-v1-admissionregistration-k8s-io
Thanks @maxsmythe , I had suspected that but didn't know where to look. That answers my question, but should this issue then be considered a bug for gator?
Thanks @maxsmythe , I had suspected that but didn't know where to look. That answers my question, but should this issue then be considered a bug for
gator?
I have a similar issue which the policy is being flagged but Gatekeeper lets the resource to be created. https://github.com/open-policy-agent/gatekeeper/issues/3228
Gatekeeper the webhook cannot/should not validate these resources. Gatekeeper audit and the gator CLI command should be able to validate them.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}