Policy is being flagged in the log but it is allowed to be created

[soroushatarod]

What steps did you take and what happened:

1. Install OPA gatekeeper

kubectl apply -f  https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml

2. Apply Constraint Template from the Policy sample

https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/disallowedrepos/template.yaml

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sdisallowedrepos
  annotations:
    metadata.gatekeeper.sh/title: "Disallowed Repositories"
    metadata.gatekeeper.sh/version: 1.0.0
    description: >-
      Disallowed container repositories that begin with a string from the specified list.
spec:
  crd:
    spec:
      names:
        kind: K8sDisallowedRepos
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            repos:
              description: The list of prefixes a container image is not allowed to have.
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdisallowedrepos

        violation[{"msg": msg}] {
          container := input.review.object.spec.containers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("container <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.initContainers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("initContainer <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

        violation[{"msg": msg}] {
          container := input.review.object.spec.ephemeralContainers[_]
          image := container.image
          startswith(image, input.parameters.repos[_])
          msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, disallowed repos are %v", [container.name, container.image, input.parameters.repos])
        }

3. Apply Constraint from the Policy sample Github

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDisallowedRepos
metadata:
  name: repo-must-not-be-k8s-gcr-io
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    repos:
      - "k8s.gcr.io/"

4. Try creating a Pod with the k8s.gcr.io as the registry

apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:latest
      securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault

What did you expect to happen:

Not able to create the Pod and receive a message "Error from server (Forbidden): error when creating "container has an invalid image repo <k8s.gcr.io/kustomize/kustomize:latest>, disallowed repos are ["k8s.gcr.io/\ "

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.] Gatekeeper flags it in the log file but it allows the creation which to me is a bug.

{"level":"info","ts":1705611801.8987546,"logger":"controller",
"msg":"container <kustomize> has an invalid image repo <k8s.gcr.io/kustomize/kustomize:latest>,
 disallowed repos are [\"k8s.gcr.io/\"]",
"process":"audit","audit_id":"2024-01-18T21:03:20Z",
"details":{},"event_type":"violation_audited",
"constraint_group":"constraints.gatekeeper.sh",
"constraint_api_version":"v1beta1","constraint_kind":"K8sDisallowedRepos",
"constraint_name":"repo-must-not-be-k8s-gcr-io","constraint_namespace":"",
"constraint_action":"deny","constraint_annotations":{},"resource_group":"","resource_api_version":"v1",
"resource_kind":"Pod","resource_namespace":"default",
"resource_name":"kustomize-disallowed","resource_labels":null}

Environment:

• Gatekeeper version: 3.14
• Kubernetes version: (use kubectl version): Client Version: v1.28.3 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.24.17-eks-5e0fdde WARNING: version difference between client (1.28) and server (1.24) exceeds the supported minor version skew of +/-1

Running on EKS

[JaydipGabani]

@soroushatarod Can you make sure your gatekeeper-controller-manager pods are running?

I am not able to create pod with the same yamls you provided above.

kubectl get constrainttemplates.templates.gatekeeper.sh 
NAME                 AGE
k8sdisallowedrepos   8m50s

kubectl get constraints
NAME                          ENFORCEMENT-ACTION   TOTAL-VIOLATIONS
repo-must-not-be-k8s-gcr-io                        0

cat pod.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: kustomize-disallowed
spec:
  containers:
    - name: kustomize
      image: k8s.gcr.io/kustomize/kustomize:latest
      securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault

kubectl apply -f pod.yaml 
Error from server (Forbidden): error when creating "pod.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [repo-must-not-be-k8s-gcr-io] container <kustomize> has an invalid image repo <k8s.gcr.io/kustomize/kustomize:latest>, disallowed repos are ["k8s.gcr.io/"]

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.