Gator does not return the same status code for the same given context #3772
Description
What steps did you take and what happened:
If you provide 2 constraints with the same metadata.name and same spec.match but with different spec.enforcementActions, then the return code is either 0 or 1.
For example, given the following resources:
# resources.yaml
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdenyname
spec:
crd:
spec:
names:
kind: K8sDenyName
validation:
openAPIV3Schema:
properties:
invalidName:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdenynames
violation[{"msg": msg}] {
input.review.object.metadata.name == input.parameters.invalidName
msg := sprintf("The name %v is not allowed", [input.parameters.invalidName])
}
---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sdenylabel
spec:
crd:
spec:
names:
kind: K8sDenyLabel
validation:
openAPIV3Schema:
properties:
invalidName:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sdenylabel
violation[{"msg": msg}] {
input.review.object.metadata.labels.something == input.parameters.invalidName
msg := sprintf("The label %v is not allowed", [input.parameters.invalidName])
}
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyName
metadata:
name: default
spec:
enforcementAction: warn
match:
kinds:
- kinds: ["Namespace"]
parameters:
invalidName: "policy-violation"
---
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyLabel
metadata:
name: default
spec:
enforcementAction: deny
match:
kinds:
- kinds: ["Namespace"]
parameters:
invalidName: "policy-violation"
---
apiVersion: v1
kind: Namespace
metadata:
name: policy-violation
labels:
something: 'allowed'We expect the label to be allowed and the name to be denied, but since K8sDenyName.default enforcement action is warn then gator should return 0, not 1.
But it's not always the case:
$> for i in $(seq 10); do gator test -f resources.yaml; echo "return: $?"; done
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 0
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 1
v1/Namespace policy-violation: ["default"] Message: "The name policy-violation is not allowed"
return: 0What did you expect to happen:
Gator should return always return 0 in this case.
Anything else you would like to add:
If the constraint names are different, it works as expected.
Environment:
- Gatekeeper version: v3.19.0-beta.1.0.20241230191800-78733fac9edf
- Kubernetes version: (use
kubectl version): NA