Comments (10)
Thanks @patoarvizu for helping to reproduce the issue. Sorry about the delay in looking into this. I'll try to reproduce this myself tomorrow.
from kube-mgmt.
I could reproduce the issue and the implementation for the --policies=*
feature doesn't seem to be doing what it's supposed to. Working on fix for it.
from kube-mgmt.
Yes with --policies=*
kube-mgmt should look for policies in all namespaces. Since you also specified --require-policy-label=true
, have you also labelled the configmaps in the other namespaces ?
from kube-mgmt.
Yup I had done that @ashutosh-narkar, I could only get it to pick up poliies when using --policies=a,b,c and being explicit with namespaces.
from kube-mgmt.
@ashutosh-narkar could I be missing anything else here? have tried various things and had no luck with --policies=* it is working only if I use --policies with an explicit namespace.
from kube-mgmt.
You can remove --enable-policies=true
as it's true
by default (https://github.com/open-policy-agent/kube-mgmt/blob/master/cmd/kube-mgmt/main.go#L71). Also may be try enclosing the arguments in quotes eg "--policies=*"
. Let me know if this doesn't work and I can try this out.
from kube-mgmt.
No luck @ashutosh-narkar, no combination of quotes gets it working using --policies=* but as soon as I change it to --policies=test being the namespace my policy is in it loads it fine.
from kube-mgmt.
Ok @stefansedich , I will try this out too.
from kube-mgmt.
I'm seeing similar behavior but it seems to be inconsistent. One thing I noticed that I could kind of consistently reproduce but didn't make sense is that if I launch with --policies=* --require-policy-label=false
, it won't discover policies even if they're in the opa
namespace and have openpolicyagent.org/policy: rego
on the ConfigMap
. However, if I then set --require-policy-label=false
, the ConfigMap
s did get the openpolicyagent.org/policy-status: '{"status":"ok"}'
annotation. It doesn't make sense that switch from enforcing the label no not enforcing it will suddenly make it work.
I couldn't reproduce this behavior consistently, but I seemed to be able to reproduce it very often. I was applying changes and checking the objects in quick succession, so it's possible there some race condition that made the behavior inconsistent.
I tested on both 0.10 and 0.11, on Kubernetes (k3s) 1.15. I can try running more tests later if I have time.
from kube-mgmt.
PR: #64.
As mentioned in the PR commit, the --policies=*
option was breaking the config map matching logic. It would appear to work (mistakenly) in cases where --policies=*
is set and --require-policy-label=false
but the config map had the label openpolicyagent.org/policy=rego
. This behavior was observed by @patoarvizu as well.
Also it would be recommended to use the --require-policy-label=true
option in conjunction with --policies=*
. You would also need to give OPA/kube-mgmt a ClusterRole
that allows it to annotate config maps in all namespaces.
from kube-mgmt.
Related Issues (20)
- Alpine Base image HOT 3
- Bad indents: can't specify resources for mgmt HOT 1
- Helm chart does not support Kubernetes v1.25 PodDisruptionBudget HOT 1
- helm: openpolicyagent/opa image is outdated and has a critical vulnerability
- Upgrading the Helm chart on Kubernetes v1.25 fails with podDisruptionsBudget enabled
- kube-mgmt doesn't reload configmaps if opa container restarts HOT 6
- CVE reported on kube-mgmt v8.0.1 - libcrypto1.1 HOT 1
- Breaking issue when running with more than 1 replica HOT 8
- upgrading from 8.0.2 to 8.1.0 breaks namespaces sync HOT 10
- Failed calling webhook "webhook.openpolicyagent.org" error HOT 5
- CVE reported for gopkg.in/yaml.v3 HOT 3
- Kube mgmt fails after upgrade - {"code":"undefined_document","message":"document missing: data.system.main"} HOT 2
- kube-mgmt does not retry adding policies to OPA HOT 1
- When OPA container restarted kube-mgmt is not re-syncing the policies HOT 2
- opa-kube-mgmt Helm Chart config can't use existing Cert-Manager Issuer or an existing Secret created from Cert-Manager HOT 4
- CVE Vulnerabilities HOT 1
- Add startup probe to kube-mgmt container HOT 12
- Add liveness probe to kube-mgmt container HOT 5
- Do not use ClusterRole and ClusterRoleBinding when .Values.mgmt.namespaces list is empty
- Pre populate data in opa container on startup. HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-mgmt.