chore: adding vap testing by JaydipGabani · Pull Request #618 · open-policy-agent/gatekeeper-library

JaydipGabani · 2024-12-27T23:39:01Z

What this PR does / why we need it:

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #574

Special notes for your reviewer:

ritazh · 2025-01-06T19:35:49Z

@@ -36,9 +36,9 @@ deploy:
 ifeq ($(POLICY_ENGINE), rego)


Can you add a comment here that only the first engine in the template gets used for evaluation UNLESS enableK8sNativeValidation=false which ensures the subsequent non-K8sNativeValidation engine gets used?

ritazh · 2025-01-06T19:37:02Z

-ifneq ($(GATEKEEPER_VERSION), 3.15.1)
 	helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper --create-namespace --version $(GATEKEEPER_VERSION) --set enableK8sNativeValidation=true
-endif
+else ifeq ($(POLICY_ENGINE), vap)


For these, since Gatekeeper webhook is a fallback for VAP, how do we ensure the failure resulted from VAP instead of the GK webhook?

We check the violation string to make sure it includes ValidatingAdmissionPolicy - https://github.com/open-policy-agent/gatekeeper-library/pull/618/files#diff-3b0266d06db240d302bf9febd17c09cf104dccce0bb2ee8e799e49c85f7082ffR96.

ritazh · 2025-01-06T19:41:54Z

@@ -36,9 +36,9 @@ deploy:
 ifeq ($(POLICY_ENGINE), rego)


In general, I think because we are not actually testing the error message, it's hard to tell which engine caused the violation and which enforcement point caused the failure. Not sure how hard it is to add that, could be a follow up issue/PR if you want to track it.

Since GK does not have fallback between engines, violations are thrown through CEL engine if it is enabled and CT has CEL. Otherwise the source of violation is rego engine.

Since GK does not have fallback between engines, violations are thrown through CEL engine if it is enabled and CT has CEL. Otherwise the source of violation is rego engine.

yea thats how it works today but if we ever expose priority like the issue you opened, then we need to test the actual violation message. maybe open an issue to track for future?

In this case, we may want to modify the violation message to include engine information as well. Since as of now the violation message is the same regardless of the engine used to evaluate CTs. IMO, I don't think users apart from CT authors would care about which engine is being used to enforce policies. And CT authors would only care to verify the logic written for policy, which I think can be attained with gator to test CT.

ritazh

LGTM

maxsmythe

LGTM

Signed-off-by: Jaydip Gabani <gabanijaydip@gmail.com>

stale · 2025-04-26T20:11:26Z