Open Policy Agent
Bad Import Error #199
Replies: 2 comments
-
|
Hi @Vishnuvk007 Thanks for joining the OPA community. To help readers with this post, can you update the YAML file to be enclosed in a code block? Preserving the formating is essential to debugging code. Next, let's try to pinpoint where the error is occurring. It could be on the Rego side or the k8s side. Can you validate your Rego in the playground? Once you have a working Rego policy paste a link here and we can investigate further. Cheers! |
Beta Was this translation helpful? Give feedback.
-
|
The data needs to be replicated before it can be used, and is stored in data.inventory. see this docs page for details: For other gatekeeper constraint templates like this, feel free to checkout https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/general |
Beta Was this translation helpful? Give feedback.
-
Hello, I am new to OPA and rego code and I am trying to implement a policy in my test environment. In the below constraint template, I am trying to import the resourcequota data configured in all of the namespaces of a cluster. Below constraint template's objective is to deny pod creation if the namespace where it is supposed to create does not have resource quota defined.
Blog referred to create this template: https://www.magalix.com/blog/how-to-force-kubernetes-namespaces-to-have-resourcequotas-defined-using-opa
Image used for the below constraint template : openpolicyagent/gatekeeper:v3.8.1
cat template.yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sresourcequota
spec:
crd:
spec:
names:
kind: K8sResourceQuota
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sresourcequota
import data.kubernetes.resourcequotas
violation[{"msg": msg}] {
input.request.kind.kind == "Pod"
# Extract the the namespace from the request information
requestns := input.request.object.metadata.namespace
# Is it part of the existing resource quotas?
existingrqs := {e | e := resourcequotas[][].metadata.namespace}
not ns_exists(requestns,existingrqs)
msg = sprintf("The Pod %v could not be created because the %v namespace does not have ResourceQuotas defined",[input.request.object.metadata.name,input.request.object.metadata.namespace])
}
ns_exists(ns,arr){
arr[_] = ns
}
But when I try to apply this file, I get the following error. Why is it showing bad import? From where can I check, the types of import that can be included in the rego code.
kubectl apply -f template.yaml
Error from server: error when creating "template.yaml": admission webhook "validation.gatekeeper.sh" denied the request: invalid ConstraintTemplate: invalid import: bad import
Beta Was this translation helpful? Give feedback.
All reactions