Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support DELETE operations #144

Closed
ritazh opened this issue Jun 18, 2019 · 6 comments · Fixed by #146
Closed

Support DELETE operations #144

ritazh opened this issue Jun 18, 2019 · 6 comments · Fixed by #146
Assignees
@ritazh
Labels
bug Something isn't working

Comments

@ritazh
Copy link
Member

ritazh commented Jun 18, 2019

after updating the validation webhook config,

- apiGroups:
  - '*'
  apiVersions:
  - '*'
  operations:
  - CREATE
  - UPDATE
  - DELETE
  resources:
  - '*'

webhook returned this error

Error from server (admission.k8s.gatekeeper.sh: HandleViolation:NestedMap: .object accessor error: <nil> is of the type <nil>, expected map[string]interface{}
): admission webhook "validation.gatekeeper.sh" denied the request: admission.k8s.gatekeeper.sh: HandleViolation:NestedMap: .object accessor error: <nil> is of the type <nil>, expected map[string]interface{}

It seems AdmissionRequest's object is nil when operation: DELETE

{"AdmissionRequest":{"uid":"bf47233e-9202-11e9-afd8-000d3a94fc72","kind":{"group":"","version":"v1","kind":"Namespace"},"resource":{"group":"","version":"v1","resource":"namespaces"},"name":"bad-prod-ns","namespace":"bad-prod-ns","operation":"DELETE","userInfo":{"username":"client","groups":["system:masters","system:authenticated"]},"object":null,"oldObject":null,"dryRun":false}}
@ritazh ritazh self-assigned this Jun 18, 2019
@ritazh ritazh added the bug Something isn't working label Jun 18, 2019
@maxsmythe
Copy link
Contributor

nil object may create problems for the TargetHandler... either its golang code, its Rego, or both. I recommend tracing through that logic for any issues.

@ritazh
Copy link
Member Author

ritazh commented Jun 18, 2019

yea we can't evaluate correctly without input.review.object I'm still trying to figure out why AdmissionRequest object is null.

@maxsmythe
Copy link
Contributor

object is the value of the resultant object, which for DELETE is nothing.

The original object is under oldObject

@ritazh
Copy link
Member Author

ritazh commented Jun 19, 2019

both object and oldObject are null in AdmissionRequest

@ritazh
Copy link
Member Author

ritazh commented Jun 19, 2019

Looks like this issue kubernetes/kubernetes#66536 was fixed by kubernetes/kubernetes#76346 in k8s v1.15

From 1.15 docs:

    // object is the new object being admitted.
    // It is null for DELETE operations.
    "object": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    // oldObject is the existing object.
    // It is null for CREATE and CONNECT operations (and for DELETE operations in API servers prior to v1.15.0)
    "oldObject": {"apiVersion":"autoscaling/v1","kind":"Scale",...},
    // options contains the options for the operation being admitted, like meta.k8s.io/v1 CreateOptions, UpdateOptions, or DeleteOptions.
    // It is null for CONNECT operations.
    // Only sent by v1.15+ API servers.
    "options": {"apiVersion":"meta.k8s.io/v1","kind":"UpdateOptions",...},

@maxsmythe
Copy link
Contributor

nice, I like that they fixed that

@ritazh ritazh mentioned this issue Jun 19, 2019
Merged
2 tasks
@ritazh ritazh mentioned this issue Jan 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ritazh ritazh

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix support for DELETE ritazh/gatekeeper
2 participants
@ritazh @maxsmythe