Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validate ConstraintTemplate via admission #3760

Open
grosser opened this issue Jan 2, 2025 · 9 comments
Open

validate ConstraintTemplate via admission #3760

grosser opened this issue Jan 2, 2025 · 9 comments
Labels
enhancement New feature or request

Comments

@grosser
Copy link
Contributor

grosser commented Jan 2, 2025

Describe the solution you'd like
the validation webhook should block invalid ConstraintTemplate
because otherwise a deploy via for example kubectl apply will succeed but the reconcile will fail forever

Anything else you would like to add:

I have this config for my validation webhook, so afaik ConstraintTemplate is covered

  - apiGroups:
    - config.gatekeeper.sh
    - constraints.gatekeeper.sh
    - templates.gatekeeper.sh
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    resources:
    - '*'
    scope: '*'

when editing a ConstraintTemplate to be invalid kubernetes does not complain,
but the reconciler fails

Environment:

  • Gatekeeper version: v3.17.1
  • Kubernetes version: (use kubectl version): 1.30.1
@grosser grosser added the enhancement New feature or request label Jan 2, 2025
@JaydipGabani
Copy link
Contributor

@grosser could you share how to reproduce this exactly?

@grosser
Copy link
Contributor Author

grosser commented Jan 2, 2025

edit any existing ConstraintTemplate to have invalid rego

@JaydipGabani
Copy link
Contributor

JaydipGabani commented Jan 2, 2025
edited
Loading

@grosser We used to have validate-tempate-rego flag - https://open-policy-agent.github.io/gatekeeper/website/docs/v3.15.x/constrainttemplates/. But this was depricated and removed in 3.16 in favor of using gator verify to validate templates, and adding CEL engine to support CEL as policy language as well. Hence validation of rego is not supported.

@grosser
Copy link
Contributor Author

grosser commented Jan 2, 2025

having to use some external tool is a bit cumbersome, especially if that tool is not version-locked with gatekeeper releases, so I have to install the correct version of the tool and trust it does exactly what gatekeeper does

I like the idea of a controller validating their crds so that an invalid crd can't be deployed

@JaydipGabani
Copy link
Contributor

gator is also owned by us and is released/paired with each gatekeeper version. If you haven't looked at it yet, PTAL - https://open-policy-agent.github.io/gatekeeper/website/docs/gator. It's a very good tool to validate resources in shift left, even before deploying to k8s cluster.

@grosser
Copy link
Contributor Author

grosser commented Jan 3, 2025

I'll take another look, thx.

Still prefer in-cluster validation even if that's just a fail-safe or very crude (did not parse -> denied),
being able to deploy invalid config and then it just sitting there was very confusing and let us roll out a bad change without anyone noticing.

@JaydipGabani
Copy link
Contributor

@grosser were you able to look at gator and satisfy the use case you are looking for?

@grosser
Copy link
Contributor Author

grosser commented Jan 8, 2025

not yet, but I think it should work
... if the feature is not planned then just close the issue

@JaydipGabani
Copy link
Contributor

Yeah, I dont think we have this in road map. I am interested on what other think. @open-policy-agent/gatekeeper-maintainers PTAL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grosser @JaydipGabani