Not able to verify NodeSelector Exists or not
bj-1795 opened this issue · comments
Hi I am new to OPA, I want to add policy that nodeslector should exists in pod.
I have made the below code not able to warap my head around the issue with this as not able to get desired output.
package kubernetes.admission
deny[reason] {
input.request.kind.kind == "Pod"
input.request.operation == "CREATE"
input.request.object.spec.nodeSelector
not count(input.request.object.spec.nodeSelector) > 0
reason := "pod with nodeselector not allowed at the specified location"
Output:-
{
"deny": []
}
}
I don't think you need to count
the nodeSelector attributes - simply checking for existence would be enough.
deny[reason] {
input.request.kind.kind == "Pod"
input.request.operation == "CREATE"
input.request.object.spec.nodeSelector
reason := "pod with nodeselector not allowed at the specified location"
}
You'd probably want to do the same for UPDATE
requests too.
@anderseknert I am getting this output for both cases, its not giving desired output msg in rego playground
{
"deny": []
}
Could you provide a link to your playground policy and input? Just use the "Publish" button and then copy the link.
here you go:- https://play.openpolicyagent.org/p/rTXkV6cu5H
Thanks! You don't seem to have the object
attribute under input.request
.. but rather the spec
is placed right under it.
Tried again :- https://play.openpolicyagent.org/p/ct4wlWvgps I am getting same output, not sure what this means
Looking closer, there isn't even a request
object in your input. You'd need to add both that and object
if you want to mimic an AdmissionReview request.
This seems to be a correct input, but result is still same. https://play.openpolicyagent.org/p/bi0iR3n4kx
There is no operation
in the input of your request.
https://play.openpolicyagent.org/p/aSPRSRElHq same output @anderseknert I am not sure what I am doing wrong
Your policy is right, but your data isn't. The operation
attribute needs to be under input.request
, not input.request.object
. Though in this latest version of your data you seem to also have removed the nodeSelector
from the pod spec, so you'll need to add that back too in order for the deny rule to evaluate.
https://play.openpolicyagent.org/p/gz38aKkPF5 This is working as expected it seems
Yes, the policy was correct but your input data wasn't. I guess you can close the issue now :)
@anderseknert I tried using this policy, in my kubernetes cluster, I was able to create pods even with nodeselector, this policy seems not to work.
Not sure how you come to that conclusion after having verified the policy with real input data. It seems more likely that something is missing in your admission controller webhook configuration.
I have used following webhook confg:
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
name: opa-validating-webhook
webhooks:
- name: validating-webhook.openpolicyagent.org
namespaceSelector:
matchExpressions:- key: openpolicyagent.org/webhook
operator: NotIn
values:- ignore
rules:
- ignore
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: [""]
resources: ["*"]
clientConfig:
caBundle: something
service:
namespace: opa
name: opa
- key: openpolicyagent.org/webhook
Have you been following the steps outlined in the tutorial here?
following this tutorial: https://www.openpolicyagent.org/docs/latest/kubernetes-tutorial/#3-deploy-opa-on-top-of-kubernetes
I got annotation status ok, is it because of deprecated v1beta version in webhook file, I am using minikube for poc, really stuck here.
Going to close this for now since it's been almost a year. Did you manage to solve this eventually?