Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use sync.yaml -> config to load some CRDs to evaluate my OPA Gatekeeper in EKS #165

Closed
peteroneilljr opened this issue Apr 5, 2022 · 0 comments
Closed

use sync.yaml -> config to load some CRDs to evaluate my OPA Gatekeeper in EKS #165

peteroneilljr opened this issue Apr 5, 2022 · 0 comments

Comments

@peteroneilljr
Copy link
Member

peteroneilljr commented Apr 5, 2022
edited

Original Requestor: raje.g.995
Original Thread: https://openpolicyagent.slack.com/archives/CBR63TK2A/p1648828146.908049

Message:

Hi, I am trying to use sync.yaml -> config to load some CRDs to evaluate my OPA Gatekeeper in EKS.

I am facing issues in loading those CRDS. I have installed the sync.yaml correctly.

Steps followed -

Installed OPA
Installed sync.yaml to load the CRDs dynamically.

Issue :

While evaluating the policy in the constrainttemplate , OPA is not able to list those objects.

Sample sync.yaml

# Sync.yaml
apiVersion: http://config.gatekeeper.sh/v1alpha1config.gatekeeper.sh/v1alpha1>
kind: Config
metadata:
  name: config
  namespace: "gatekeeper-system"
spec:
  sync:
    syncOnly:
      - group: "http://project.team.orchestrator.predix.ioproject.team.orchestrator.predix.io>"
        version: "v1alpha1"
        kind: Environment
      - group: "http://project.team.orchestrator.predix.ioproject.team.orchestrator.predix.io>"
        version: "v1alpha1"
        kind: "DeveloperProjectControl"

Sample policy constrainttemplate

apiVersion: http://templates.gatekeeper.sh/v1beta1templates.gatekeeper.sh/v1beta1>
kind: ConstraintTemplate
metadata:
  name: developerprojectcontrolnotexist
spec:
  crd:
    spec:
      names:
        kind: DeveloperProjectControlNotExist

  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package developerprojectcontrolnotexist

        violation[{"msg": msg1}] {
              input.review.object.kind != "DeveloperProjectControl"
              ns := input.review.object.metadata.namespace

              ns != "NS"
             #msg1 := sprintf("VALUE - %v ", [data.inventory.namespace[ns]["http://project.team.orchestrator.predix.io/v1alpha1project.team.orchestrator.predix.io/v1alpha1>"]])
             dpcObject := object.get(data.inventory.namespace[ns]["http://project.team.orchestrator.predix.io/v1alpha1project.team.orchestrator.predix.io/v1alpha1>"],"DeveloperProjectControl", "NOTFOUND")
             dpcObject == "NOTFOUND"
             msg1 := sprintf("No developerprojectcontrol object present in the namespace  ", [dpcObject])
        }

Here the dpcObject value is {} and instead of NOTFOUND , when the corresponding object - DeveloperProjectControl is not present in the namespace.
@open-policy-agent open-policy-agent locked and limited conversation to collaborators Apr 5, 2022
@peteroneilljr peteroneilljr converted this issue into discussion #166 Apr 5, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peteroneilljr