Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

constraint status error in 3.17.0-rc #3492

Closed
ritazh opened this issue Aug 13, 2024 · 3 comments · Fixed by #3493
Closed

constraint status error in 3.17.0-rc #3492

ritazh opened this issue Aug 13, 2024 · 3 comments · Fixed by #3493
Assignees
@JaydipGabani

Comments

@ritazh
Copy link
Member

ritazh commented Aug 13, 2024

Using cel expression https://github.com/open-policy-agent/gatekeeper-library/blob/master/artifacthub/library/general/requiredlabels/1.1.1/template.yaml#L47 and 3.17.0-rc results in
failed expression or Conditions are not satisfied to generate ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding, cannot generate ValidatingAdmissionPolicyBinding
@ritazh ritazh transferred this issue from open-policy-agent/gatekeeper-library Aug 13, 2024
@ritazh
Copy link
Member Author

ritazh commented Aug 13, 2024

This seems to be caused by https://github.com/open-policy-agent/gatekeeper/blob/master/pkg/controller/constraint/constraint_controller.go#L565
A constraint status error is generated even when vap engine and "generateVap" is not present.

@ritazh ritazh changed the title [requiredlabels] - failed expression constraint status error in 3.17.0-rc Aug 13, 2024
JaydipGabani added a commit to JaydipGabani/gatekeeper that referenced this issue Aug 13, 2024
@JaydipGabani
fixing error reporting for templates without CEL, fixes open-policy-a…
0bd5346 
…gent#3492

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>
@JaydipGabani JaydipGabani mentioned this issue Aug 13, 2024
Merged
@Markieta
Copy link

Markieta commented Sep 6, 2024

@ritazh I seem to be encountering this issue on v3.17.0. I thought it might've been related to the recent template library updates, but those still work on v3.16.3.

Examples below:

pss-baseline-v2022-host-namespaces-hostnetwork:

failed expression: (has(request.operation) && request.operation == "UPDATE") || (!has(variables.params.hostNetwork) || !variables.params.hostNetwork ? (has(variables.anyObject.spec.hostNetwork) && !variables.anyObject.spec.hostNetwork) : true)

pss-baseline-v2022-proc-mount-type:

failed expression: (has(request.operation) && request.operation == "UPDATE") || size(variables.badContainers) == 0

&

ProcMount type is not allowed, container: kube-proxy. Allowed procMount types: default

@maxsmythe
Copy link
Contributor

Might be bugs in the VAP-CEL in the constraint template. hostnamespaces-hostnetwork may be fixed by this:

open-policy-agent/gatekeeper-library#589

if you had been exempting kube-proxy container, this PR may fix that:
open-policy-agent/gatekeeper-library#588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@JaydipGabani JaydipGabani

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: fixing error reporting for templates without CEL JaydipGabani/gatekeeper
4 participants
@ritazh @Markieta @maxsmythe @JaydipGabani