Comments (19)
I don't think you need to count
the nodeSelector attributes - simply checking for existence would be enough.
deny[reason] {
input.request.kind.kind == "Pod"
input.request.operation == "CREATE"
input.request.object.spec.nodeSelector
reason := "pod with nodeselector not allowed at the specified location"
}
You'd probably want to do the same for UPDATE
requests too.
from contrib.
@anderseknert I am getting this output for both cases, its not giving desired output msg in rego playground
{
"deny": []
}
from contrib.
Could you provide a link to your playground policy and input? Just use the "Publish" button and then copy the link.
from contrib.
here you go:- https://play.openpolicyagent.org/p/rTXkV6cu5H
from contrib.
Thanks! You don't seem to have the object
attribute under input.request
.. but rather the spec
is placed right under it.
from contrib.
Tried again :- https://play.openpolicyagent.org/p/ct4wlWvgps I am getting same output, not sure what this means
from contrib.
Looking closer, there isn't even a request
object in your input. You'd need to add both that and object
if you want to mimic an AdmissionReview request.
from contrib.
This seems to be a correct input, but result is still same. https://play.openpolicyagent.org/p/bi0iR3n4kx
from contrib.
There is no operation
in the input of your request.
from contrib.
https://play.openpolicyagent.org/p/aSPRSRElHq same output @anderseknert I am not sure what I am doing wrong
from contrib.
Your policy is right, but your data isn't. The operation
attribute needs to be under input.request
, not input.request.object
. Though in this latest version of your data you seem to also have removed the nodeSelector
from the pod spec, so you'll need to add that back too in order for the deny rule to evaluate.
from contrib.
https://play.openpolicyagent.org/p/gz38aKkPF5 This is working as expected it seems
from contrib.
Yes, the policy was correct but your input data wasn't. I guess you can close the issue now :)
from contrib.
@anderseknert I tried using this policy, in my kubernetes cluster, I was able to create pods even with nodeselector, this policy seems not to work.
from contrib.
Not sure how you come to that conclusion after having verified the policy with real input data. It seems more likely that something is missing in your admission controller webhook configuration.
from contrib.
I have used following webhook confg:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa-validating-webhook
webhooks:
- name: validating-webhook.openpolicyagent.org
namespaceSelector:
matchExpressions:- key: openpolicyagent.org/webhook
operator: NotIn
values:- ignore
rules:
- ignore
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: [""]
resources: ["*"]
clientConfig:
caBundle: something
service:
namespace: opa
name: opa
- key: openpolicyagent.org/webhook
from contrib.
Have you been following the steps outlined in the tutorial here?
from contrib.
following this tutorial: https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/#3-deploy-opa-on-top-of-kubernetes
I got annotation status ok, is it because of deprecated v1beta version in webhook file, I am using minikube for poc, really stuck here.
from contrib.
Going to close this for now since it's been almost a year. Did you manage to solve this eventually?
from contrib.
Related Issues (20)
- Migrate to GitHub Actions
- Kong-OPA Authz plugin does not send headers information to HOT 5
- Fix currently ignored build issues in two sub-modules
- Docker file for demo-kafka HOT 4
- Deal with new Kafka authorizer interface HOT 1
- Error when no JWT token provided
- information required HOT 4
- Add config API endpoint to Open API specs HOT 4
- Error on Apple M1: iptables v1.6.0: can't initialize iptables table `nat': iptables HOT 4
- Broken Elasticsearch Data Filtering Example HOT 2
- `pam_opa` build is failing in GH Actions
- `gatekeeper_mtail_violations_exporter` build is broken
- `k8s_authorization` build is broken
- Support `OTP` while using the `pam_opa` HOT 8
- Update spring_authz README to include some additional information HOT 1
- kong_api_authz build is broken
- kong_api_authz: Latest Rocks Build HOT 18
- contrib/data_filter_mongo example test case for employees/john example not working as advertised in README.md (returns empty)
- PAM module pam_sm_acct_mgmt call always returns success
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from contrib.