I have created the Constraint and ConstraintTemplate and there is no error in Constraint.
Constraint:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DenySensitiveEnvVarsV1
metadata:
creationTimestamp: '2025-03-13T10:50:01Z'
generation: 2
labels:
k8slens-edit-resource-version: v1beta1
name: devops-test-ground-deny-sensitive-env-vars
resourceVersion: '733233260'
uid: 7a40dae8-9d19-44a0-b80c-bca301a521aa
selfLink: >-
/apis/constraints.gatekeeper.sh/v1beta1/denysensitiveenvvarsv1/devops-test-ground-deny-sensitive-env-vars
status:
auditTimestamp: '2025-03-13T11:37:15Z'
byPod:
- constraintUID: 7a40dae8-9d19-44a0-b80c-bca301a521aa
enforced: true
id: gatekeeper-audit-749b7d998c-zhn5x
observedGeneration: 2
operations:
- audit
- generate
- mutation-status
- status
- constraintUID: 7a40dae8-9d19-44a0-b80c-bca301a521aa
enforced: true
id: gatekeeper-controller-manager-576cb787d9-4pfsx
observedGeneration: 2
operations:
- mutation-webhook
- webhook
- constraintUID: 7a40dae8-9d19-44a0-b80c-bca301a521aa
enforced: true
id: gatekeeper-controller-manager-576cb787d9-cx27l
observedGeneration: 2
operations:
- mutation-webhook
- webhook
- constraintUID: 7a40dae8-9d19-44a0-b80c-bca301a521aa
enforced: true
id: gatekeeper-controller-manager-576cb787d9-hqjgn
observedGeneration: 2
operations:
- mutation-webhook
- webhook
totalViolations: 0
spec:
enforcementAction: deny
match:
kinds:
- apiGroups:
- ''
kinds:
- Pod
namespaces:
- devops-test-ground
parameters:
payload:
- KEY
- PASS
- SECRET
- CODE
- TOKEN
- AUTH
skip_checking_for: []
ConstraintTemplate:
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
creationTimestamp: '2025-03-13T10:48:45Z'
generation: 13
name: denysensitiveenvvarsv1
resourceVersion: '733234068'
uid: 0d59df00-d2a0-4117-85e9-f9e56ef758c4
selfLink: /apis/templates.gatekeeper.sh/v1/constrainttemplates/denysensitiveenvvarsv1
status:
byPod:
- id: gatekeeper-audit-749b7d998c-zhn5x
observedGeneration: 13
operations:
- audit
- generate
- mutation-status
- status
templateUID: 0d59df00-d2a0-4117-85e9-f9e56ef758c4
- id: gatekeeper-controller-manager-576cb787d9-4pfsx
observedGeneration: 13
operations:
- mutation-webhook
- webhook
templateUID: 0d59df00-d2a0-4117-85e9-f9e56ef758c4
- id: gatekeeper-controller-manager-576cb787d9-cx27l
observedGeneration: 13
operations:
- mutation-webhook
- webhook
templateUID: 0d59df00-d2a0-4117-85e9-f9e56ef758c4
- id: gatekeeper-controller-manager-576cb787d9-hqjgn
observedGeneration: 13
operations:
- mutation-webhook
- webhook
templateUID: 0d59df00-d2a0-4117-85e9-f9e56ef758c4
created: true
spec:
crd:
spec:
names:
kind: DenySensitiveEnvVarsV1
validation:
legacySchema: false
openAPIV3Schema:
properties:
payload:
items:
type: string
type: array
skip_checking_for:
items:
type: string
type: array
required:
- payload
type: object
targets:
- rego: |
package k8s_deny_sensitive_env_vars
violation[{"msg": msg}] {
print(input)
msg := sprintf("%v", input)
}
target: admission.k8s.gatekeeper.sh
I expect this constraint will simply block all pods creation in devops-test-ground NS.
But I can still create pod without blocking. I have set '--log-level=DEBUG' in manager container in gatekeeper-controller-manager deployment, I don't see print(input) got run. However if I change msg := sprintf("%v", input) to msg := input I can see the error message saying something like OPA cannot map object as string.(i.e. OPA is running the constraint for sure, but it is not printing input nor blocking pod from creating)
Why?