policy – unable to use opa gatekeeper for denying pods with latest tags in a specific namespace (prod) on kubernetes

policy – unable to use opa gatekeeper for denying pods with latest tags in a specific namespace (prod) on kubernetes

Great that you are trying OPA, and gatekeeper.

By quickly looking at your code there are some things I would change:

  • Since you are passing Pods as a kind, in you Constraint, there is no need to filter it in your Template. You are only passing in resources of kind: Pod.
  • You violation rule defined the object input.review.object.spec.containers[i].image. This object is referring to the whole image attribute of the Pod resource. So, it would include /:. So, this would probably never only be latest. It would probably be a reference to a URL to a docker image. You probably need to parse out the tag in order to use it for comparison.
  • Regarding the issue you posted about namespaces: I think it is related to the facts that the match filter looks for a filter attribute called: namespaces, not namespace [https://github.com/open-policy-agent/gatekeeper/blob/master/README.md#constraints].

Good luck.

policy – unable to use opa gatekeeper for denying pods with latest tags in a specific namespace (prod) on kubernetes

Leave a Reply

Your email address will not be published.