Admission validation of constraint template rego #3008
Comments
Which kind of validation was this? This one? |
|
this is regarding behavior below I believe before v3.13: $ kubectl edit constrainttemplate k8sallowedrepos
<edit with invalid rego>
Error from server: error when applying patch:
{"metadata":{"annotations":{"[kubectl.kubernetes.io/last-applied-configuration](http://kubectl.kubernetes.io/last-applied-configuration)":"{\"apiVersion\":\"templates.gatekeeper.sh/v1beta1\",\"kind\":\"ConstraintTemplate\",\"metadata\":{\"annotations\":{},\"name\":\"k8sallowedrepos\"},\"spec\":{\"crd\":{\"spec\":{\"names\":{\"kind\":\"K8sAllowedRepos\"},\"validation\":{\"openAPIV3Schema\":{\"properties\":{\"repos\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}}}}}},\"targets\":[{\"rego\":\"package k8sallowedrepos2\\n\",\"target\":\"admission.k8s.gatekeeper.sh\"}]}}\n"}},"spec":{"targets":[{"rego":"package k8sallowedrepos2\n","target":"admission.k8s.gatekeeper.sh"}]}}
to:
Resource: "templates.gatekeeper.sh/v1beta1, Resource=constrainttemplates", GroupVersionKind: "templates.gatekeeper.sh/v1beta1, Kind=ConstraintTemplate"
Name: "k8sallowedrepos", Namespace: ""
for: "/home/sozercan/examples/validation/allowedrepos-template.yaml": error when patching "/home/sozercan/examples/validation/allowedrepos-template.yaml": admission webhook "validation.gatekeeper.sh" denied the request: invalid ConstraintTemplate: invalid rego: invalid module: missing required rules: [violation]after v3.13, it doesn't have a validation error anymore. User can edit and deploy a invalid rego instead of failing fast. Compilation error will be in the CT status. |
|
Curious why this was dropped for 3.13? Was the thought to move people towards Gator for validation? |
|
It was never a good idea to perform compilation as part of admission. Compilation is a potentially latency-rich process, particularly if we expand to support multiple engines (like we do with CEL). Without knowing the set of languages supported or how they evolve, setting an expectation that we can always compile in real-time was not realistic. Also, the admission webhook does not work 100% of the time (e.g. when Gatekeeper is not yet running). Also, the way it was written hardcoded the assumption that constraint templates would be written in Rego, which was incompatible with supporting VAP. |
|
Is there a field in the status that can be checked on the template to determine when compilation has completed? |
Not as part of the status field today gatekeeper/apis/status/v1beta1/constrainttemplatepodstatus_types.go Lines 30 to 36 in 6503979 We do know whether or not it was successful after but we only update the status errors if there is a failure. |
|
observedGeneration being current + lack of error signifies that compilation was successful IIRC |
There was a behavior change in Gatekeeper 3.13, which removed webhook admission time validation of constraint template rego. There are some existing customers leveraging this validation at runtime, as a form of additional safety and resiliency for constraint template creates/updates.
While recognizing the concerns with compilation at admission time, especially now with multi-engine support, because this validation has been present in stable releases for some time, could we introduce an optional flag to enable this validation for rego, at least while multi-engine is not yet stable?
Gentle note that upgrading our existing customer clusters to 3.13 is currently blocked as we evaluate the impact of this change and determine a path forward.
Appreciate any thoughts/responses! Thanks!
cc @maxsmythe
The text was updated successfully, but these errors were encountered: