-
Notifications
You must be signed in to change notification settings - Fork 764
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
source:generated within constraint.yaml causes gator verify to fail #3432
Comments
Thanks for reporting the issue. |
The desire is to be able to run the expansionTemplate ONLY on Generated resources by explicitly setting the cat << EOF | gator test -f opa/general/forbidden-sysctls -f opa/general/expansion
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
spec:
replicas: 1
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
securityContext:
capabilities:
add:
- SYS_ADMIN
sysctls:
- name: test
value: "1024"
containers:
- name: hello
image: busybox
command: ["sh", "-c"]
args:
- sleep 36010
EOF
apps/v1/Deployment hello: ["k8spspforbiddensysctls"] Message: "[Implied by expand-deployments] The sysctl test is not explicitly allowed, pod: hello-pod. Allowed sysctls: [\"vm.max_map_count\"]" |
https://open-policy-agent.github.io/gatekeeper/website/docs/expansion In your test suite, the pod yaml is not a fake resource. When you remove
|
ok i changed the allowed and disallowed.yaml to a deployment and its still failing:
allowed.yaml
disallowed.yaml
constraint.yaml
|
@ritazh Is there way to inform |
I don't see it in gatekeeper/pkg/gator/verify/runner.go Line 295 in 2af6dfa
to add something like: gatekeeper/pkg/gator/test/test.go Line 98 in 2af6dfa
|
@ritazh - Thank you for your help with this. Then I would like to request this as a feature. |
adding comment to keep alive |
I will read through and start working on this issue |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
What steps did you take and what happened:
I'm using expansionTemplates for the gatekeeper-library policies i'm importing. I'm explicitly setting
spec.match.source: "Generated"
on the constraint.yaml file. I am also using gator verify for testing. I'm having issues where I set the source: "Generated" and my gator verify fails. When i remove source: "Generated" from the constraint.yaml it passes.Failed test:
What did you expect to happen:
I expected the
gator verify opa/tests/...
to pass.constraint.yaml:
template.yaml
suite.yaml:
disallowed.yaml:
allowed:
expansionTemplate
kubectl version
): v1.29.4The text was updated successfully, but these errors were encountered: