Not able to verify NodeSelector Exists or not about contrib HOT 19 CLOSED

I don't think you need to count the nodeSelector attributes - simply checking for existence would be enough.

deny[reason] {
    input.request.kind.kind == "Pod"
    input.request.operation == "CREATE"
    input.request.object.spec.nodeSelector

    reason := "pod with nodeselector not allowed at the specified location"
}

You'd probably want to do the same for UPDATE requests too.

from contrib.

@anderseknert I am getting this output for both cases, its not giving desired output msg in rego playground

{
"deny": []
}

from contrib.

Could you provide a link to your playground policy and input? Just use the "Publish" button and then copy the link.

from contrib.

here you go:- https://play.openpolicyagent.org/p/rTXkV6cu5H

from contrib.

Thanks! You don't seem to have the object attribute under input.request .. but rather the spec is placed right under it.

from contrib.

Tried again :- https://play.openpolicyagent.org/p/ct4wlWvgps I am getting same output, not sure what this means

from contrib.

Looking closer, there isn't even a request object in your input. You'd need to add both that and object if you want to mimic an AdmissionReview request.

from contrib.

This seems to be a correct input, but result is still same. https://play.openpolicyagent.org/p/bi0iR3n4kx

from contrib.

There is no operation in the input of your request.

from contrib.

https://play.openpolicyagent.org/p/aSPRSRElHq same output @anderseknert I am not sure what I am doing wrong

from contrib.

Your policy is right, but your data isn't. The operation attribute needs to be under input.request, not input.request.object. Though in this latest version of your data you seem to also have removed the nodeSelector from the pod spec, so you'll need to add that back too in order for the deny rule to evaluate.

from contrib.

https://play.openpolicyagent.org/p/gz38aKkPF5 This is working as expected it seems

from contrib.

Yes, the policy was correct but your input data wasn't. I guess you can close the issue now :)

from contrib.

@anderseknert I tried using this policy, in my kubernetes cluster, I was able to create pods even with nodeselector, this policy seems not to work.

from contrib.

Not sure how you come to that conclusion after having verified the policy with real input data. It seems more likely that something is missing in your admission controller webhook configuration.

from contrib.

I have used following webhook confg:

kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa-validating-webhook
webhooks:

• name: validating-webhook.openpolicyagent.org
  namespaceSelector:
  matchExpressions:
  • key: openpolicyagent.org/webhook
    operator: NotIn
    values:
    • ignore
      rules:
  • operations: ["CREATE", "UPDATE"]
    apiGroups: [""]
    apiVersions: [""]
    resources: ["*"]
    clientConfig:
    caBundle: something
    service:
    namespace: opa
    name: opa

from contrib.

Have you been following the steps outlined in the tutorial here?

from contrib.

following this tutorial: https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/#3-deploy-opa-on-top-of-kubernetes
I got annotation status ok, is it because of deprecated v1beta version in webhook file, I am using minikube for poc, really stuck here.

from contrib.

Going to close this for now since it's been almost a year. Did you manage to solve this eventually?

from contrib.