`warn` doesn't allow namespace deletion
infa-ddeore opened this issue · comments
Deepak Deore commented
i have a policy to deny everything about namesapce changes, this is just for testing, not a real use-case
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
name: "pod-policy.example.com"
spec:
operations: ["*"]
resources: ["namespaces"]
javascript: |
// print will print a message to jsPolicies pod log
print("Incoming request for: " + request.object.metadata?.name);
print(request.object);
warn("forbidden-annotation is not allowed");
it works fine but delete namespace gives weird error instead of forbidden also it doesn't allow delete
$ k delete ns dd
Error from server: admission webhook "pod-policy.example.com" denied the request: Uncaught TypeError: Cannot read property 'metadata' of null
at pod-policy.example.com:1:1594
at pod-policy.example.com:1:1779
Fabian Kramm commented
@infa-ddeore thanks for creating this issue! The problem is that during delete requests request.object
is undefined and instead request.oldObject
is defined, so you need to adjust the policy to this:
apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
name: "pod-policy.example.com"
spec:
operations: ["*"]
resources: ["namespaces"]
javascript: |
// print will print a message to jsPolicies pod log
print("Incoming request for: " + (request.object?.metadata?.name || request.oldObject?.metadata?.name));
print(request.object);
warn("forbidden-annotation is not allowed");
Deepak Deore commented
thx @FabianKramm for quick response and explaining the cause of this issue, so its not a bug :-)