`warn` doesn't allow namespace deletion

Question

`warn` doesn't allow namespace deletion

infa-ddeore opened this issue 3 years ago · comments

i have a policy to deny everything about namesapce changes, this is just for testing, not a real use-case

apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
  name: "pod-policy.example.com"
spec:
  operations: ["*"]
  resources: ["namespaces"]
  javascript: |
    // print will print a message to jsPolicies pod log
    print("Incoming request for: " + request.object.metadata?.name);
    print(request.object);
    warn("forbidden-annotation is not allowed");

it works fine but delete namespace gives weird error instead of forbidden also it doesn't allow delete

$ k delete ns dd
Error from server: admission webhook "pod-policy.example.com" denied the request: Uncaught TypeError: Cannot read property 'metadata' of null
    at pod-policy.example.com:1:1594
    at pod-policy.example.com:1:1779

Fabian Kramm · Answer 1 · Mon Dec 13 2021 16:17:35 GMT+0800 (China Standard Time)

@infa-ddeore thanks for creating this issue! The problem is that during delete requests request.object is undefined and instead request.oldObject is defined, so you need to adjust the policy to this:

apiVersion: policy.jspolicy.com/v1beta1
kind: JsPolicy
metadata:
  name: "pod-policy.example.com"
spec:
  operations: ["*"]
  resources: ["namespaces"]
  javascript: |
    // print will print a message to jsPolicies pod log
    print("Incoming request for: " + (request.object?.metadata?.name || request.oldObject?.metadata?.name));
    print(request.object);
    warn("forbidden-annotation is not allowed");

Deepak Deore · Answer 2 · Mon Dec 13 2021 16:31:12 GMT+0800 (China Standard Time)

thx @FabianKramm for quick response and explaining the cause of this issue, so its not a bug :-)