-
Notifications
You must be signed in to change notification settings - Fork 769
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rego.v1 syntax #3577
Comments
Does using v1 syntax change the rule name somehow? Here is how Gatekeeper analyzes Rego's rules for presence (via Rego's parsing library): |
Yeah that code will need updating, I believe, but not just for rego.v1. With our without that import, you can have a rule like
and it's not clear what its name would be. You should try using .Ref() instead. |
Thanks! It looks like Ref is a list of Term... is that correct? What does that look like for a more complex reference like what you cited above? I.e. how are brackets handled? Is it possible to have a tree-like structure to these? e.g.
|
Ref is []*Term, yeah, but the possible ref-heads of rules are more limited. I can't find a location right now, but it should be safe to assume that it's only strings and vars. @johanfylling do you know where we enforce that? |
I don't think we do much more enforcement than requiring it to be a valid ref. Any terms containing other things than scalar values and vars - like refs and calls - will be moved into the body and replaced with vars by the compiler. So a compiled rule head's ref should only contain strings and vars, yes; but one that has only been through the parser, I'd not expect to be so clean.
is semantically equivalent to
and will create an object at To create a set-building partial rule in v1 you need to use the
The rule name will only be available for rules where a name can be inferred; which excludes rules with multiple ref terms in the head. Non-ref-head complete rules ( Tree structures can be constructed through rules with multiple variables in the rule head's ref.
is indeed a valid rule head. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
can you share a valid example or is this completely unusable ? |
tried this since it is valid v1 and in strict
but still got |
Is Gator 3.18 ready to evaluate the rego v1 syntax?
v0 minimal example
migrated to v1
This seems to be valid for opa but not for gator. |
where do you see these errors, I tried applying the template and it did not get rejected, is it in opa logs ? |
When running |
ah missed that, we are using just there seems to also be an issue where the actual update of the constrainttemplate is not validated but things then fail internally and we run into kubernetes saying the constraint does not exist |
I found the parse errors by tailing controller manager logs and editing the constrainttemplate,
|
@grosser Same issue here. I've never been able to use |
Hi, sorry if it's a wrong template, i wasn't sure if it's a bug or a feature request. As the OPA which runs inside of the gatekeeper container supports rego.v1 syntax i consider this more like a bug, as the only limiting factor from support rego.v1 is rule-schema at first look.
But feel free to change the label, if you think it's a feature request.
What steps did you take and what happened:
I create a ConstraintTemplate which contains
import rego.v1
line.and get error in ConstraintTemplate status
What did you expect to happen:
I expect it would parse the rule as it supports rego.v1 syntax as if i remove
if
fromviolation[{"msg": msg}] if {
i get another error, which can exist in v1 only:Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
3.17.1
kubectl version
):The text was updated successfully, but these errors were encountered: