gatekeeper icon indicating copy to clipboard operation
gatekeeper copied to clipboard
verified publisher icon open-policy-agent

Unable to deny namespace deletion.

Open josephlim75 opened this issue 1 year ago • 1 comments

What steps did you take and what happened: Not able to prevent namespace deletion. Below are my OPA Gatekeeper version and constrainttemplate.

What did you expect to happen: I expect when trying to delete a namespace, the constraint should prevent me from deleting.

Rego Template

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenynamespacedeletion
spec:
  crd:
    spec:
      names:
        kind: K8sDenyNamespaceDeletion
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenynamespacedeletion

        violation[{"msg": msg, "details": {}}] {
          input.request.kind.kind == "Namespace"
          input.request.operation == "DELETE"
          msg := "Deletion of namespace is not allowed. It is in the list of prohibited namespaces."
        }

Policy enforcement

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyNamespaceDeletion
metadata:
  name: policy-k8sdenynamespacedeletion
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace

Test Scenario

Scenario 1

  • OPA Helmchart config
disableValidatingWebhook: true
enableDeleteOperations: true

Resuilt

kubectl create namespace dev
kubectl delete namespace dev
(SUCCESS)

Scenario 2

  • OPA Helmchart config
disableValidatingWebhook: false
enableDeleteOperations: true

Resuilt

kubectl create namespace dev

Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": context deadline exceeded

Anything else you would like to add:

I have check the deployment is success but i can't create namespace when validatingwebhook is enabled.

I have noticed that the DELETE operation did not add into namespace resource, i'm not sure if this is needed. Does ValidatingWebhook required when trying to prevent namespace deletion ?

https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml#L115

Some help would greatly appreciate because currently i couldn't get namespace delete operation prevented and it still allow namespace to be deleted.

Environment:

  • Gatekeeper version: v3.15.1
  • Kubernetes version: (use kubectl version):
Client Version: v1.28.7
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.16-eks-2f46c53

josephlim75 avatar Sep 15 '24 02:09 josephlim75

@josephlim75 I think there is a bug in rego in the template. Try below template -

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenynamespacedeletion
spec:
  crd:
    spec:
      names:
        kind: K8sDenyNamespaceDeletion
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenynamespacedeletion

        violation[{"msg": msg, "details": {}}] {
          input.review.kind.kind == "Namespace"
          input.review.operation == "DELETE"
          msg := "Deletion of namespace is not allowed. It is in the list of prohibited namespaces."
        }

To enable validation of DELETE requests, just set enableDeleteOperations to true.

JaydipGabani avatar Sep 23 '24 22:09 JaydipGabani

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 23 '24 19:11 stale[bot]