Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provided ConstraintTemplates don't get trigger violations when audit runs #59

Closed
ralgozino opened this issue May 16, 2022 · 0 comments · Fixed by #61
Closed

Provided ConstraintTemplates don't get trigger violations when audit runs #59

ralgozino opened this issue May 16, 2022 · 0 comments · Fixed by #61
Assignees
@ralgozino
Labels
bug Something isn't working
Milestone
v1.7.0

Comments

@ralgozino
Copy link
Member

ralgozino commented May 16, 2022
edited
Loading

Since we added the check for the review.operation to the provided ConstraintTemplates, like this:

fury-kubernetes-opa/katalog/gatekeeper/rules/templates/livenessprobe_template.yml

Lines 29 to 32 in a745c66

not input.parameters.excludeIstio
operation := input.review.operation
any([ operation == "CREATE", operation == "UPDATE" ])
operation != "DELETE"

the audit process doesn't trigger a violation for the constraints created from the template, because the operation is not set when the audit process runs.

Related: open-policy-agent/gatekeeper#333

IMPORTANT: the Admission is not affected, this is only an audit issue. For example, pods that didn't comply with a policy get properly rejected because the review.operation is set.
@ralgozino ralgozino added the bug Something isn't working label May 16, 2022
@ralgozino ralgozino added this to the v2.0.0 milestone May 16, 2022
@ralgozino ralgozino self-assigned this May 16, 2022
ralgozino added a commit that referenced this issue May 16, 2022
@ralgozino
bugfix: fixes #59 - Audit skipped on ConstraintTemplates
b185075 
- Update provided ConstraintTemplates to consider the case that `input.revew.operation` is not set when the audit process runs.
This was referenced May 16, 2022
Merged
Closed
@ralgozino ralgozino changed the title Provided ConstraintTemplates don't get triggered when audit runs Provided ConstraintTemplates don't get trigger violations when audit runs May 16, 2022
@ralgozino ralgozino modified the milestones: v2.0.0, v1.7.0 Aug 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ralgozino ralgozino

Labels
bug Something isn't working
Projects
None yet
Milestone
v1.7.0
Development

Successfully merging a pull request may close this issue.

bugfix: Audit skipped on provided Constraints sighupio/fury-kubernetes-opa
1 participant
@ralgozino