Dryrun does not show the violations, For Deny it works.

[anannaya]

Kubernetes version: v1.29.6-eks-1552ad0
Gatekeeper version: 3.13.4

Example constraint:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DenyAdminRBACResources
metadata:
  name: denyadminrbacresources
spec: 
  enforcementAction: dryrun
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRoleBinding","ClusterRole"]

[anannaya]

Actually i have validation check for CREATE and UPDATE operation. Audit does not respect that.
# allowed_operation := { "CREATE","UPDATE" }
# operation := { input.review.operation }
# continue_operation := allowed_operation & operation
# count(continue_operation) > 0

[ritazh]

Audit should work with dryrun against resources on the cluster. After the resource is created, you should see the violating resource in the constraint status with Dryrun enforcementAction after an audit run. More info: https://open-policy-agent.github.io/gatekeeper/website/docs/violations#dry-run-enforcement-action

If you continue to see issues, please share repro steps including your ConstraintTemplate, Constraint, and violating resource.

[anannaya]

@ritazh Actually Audit does not show when we have a condition check for operation, when i commented that code dryrun violation shows up.

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: allowonlycicdresources
spec:
  crd:
    spec:
      names:
        kind: AllowOnlyCICDResources
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package allowonlycicdresources

        cicd_annotations := { "moniker.spinnaker.io/application","artifact.spinnaker.io/name",
                              "argocd.argoproj.io/tracking-id","argocd.argoproj.io/sync-options" }
        # allowed_operation := { "CREATE","UPDATE" }
        # operation := { input.review.operation }
        object_annotations := {annotation| input.review.object.metadata.annotations[annotation]}
        
        condition_check(provided, required) {
            missing := required & provided
            count(missing) > 0
        }

        violation[{"msg": msg}] {
          # continue_operation := allowed_operation & operation
          # count(continue_operation) > 0 
          not condition_check(object_annotations,cicd_annotations)
          msg := sprintf("Manual %v objects creation not allowed,Use CICD.",[input.review.object.metadata.name])
        }
        

[ritazh]

Ah I see, your rego explicitly checks input.review.operation for CREATE and UPDATE.
yea this is not populated for audit. As mentioned in https://open-policy-agent.github.io/gatekeeper/website/docs/input/

operation: The operation for the request (e.g. CREATE, UPDATE). This cannot be populated by Kubernetes for audit.

[anannaya]

@ritazh thanks a lot, it was a miss on my end did not go through documentation.