Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gator: null initContainers combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). #3463

Open
zmedico opened this issue Jul 27, 2024 · 1 comment
Open

gator: null initContainers combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). #3463

zmedico opened this issue Jul 27, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@zmedico
Copy link

zmedico commented Jul 27, 2024
edited
Loading

What steps did you take and what happened:
With gator a null initContainers combined with securityContext MustNotExist pathTest triggers this error:

$ gator expand < <(yq -c . expansion-templates.yaml; yq -c . tetrisdefaultsecuritycontext-init.yaml; yq -c . cilium-dnsproxy_daemonset.yaml)
error expanding resources: error expanding resource cilium-dnsproxy: failed to mutate resultant resource cilium-dnsproxy-pod: mutation caaa4af9-4739-476a-9d3b-052fa2de87d9 for mutator Assign.mutations.gatekeeper.sh /tetrisdefaultsecuritycontext-init failed for Pod kube-system cilium-dnsproxy-pod: mismatch between path entry (type: List) and received object (type: ). Path: [name: *]

gator-yaml-input.zip

This is the mutation which interacts badly with the null initContainers (also included in the attached zip file):

---
apiVersion: mutations.gatekeeper.sh/v1
kind: Assign
metadata:
  name: tetrisdefaultsecuritycontext-init
spec:
  applyTo:
  - groups:
    - ""
    kinds:
    - Pod
    versions:
    - v1
  location: spec.initContainers[name:*].securityContext
  parameters:
    assign:
      value:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
          - all
        privileged: false
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
    pathTests:
    - condition: MustNotExist
      subPath: spec.initContainers[name:*].securityContext

What did you expect to happen:
Maybe it could behave as though the initContainers is missing when it is set to null.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Gatekeeper version: v3.16.3
  • Kubernetes version: (use kubectl version): v1.28.10
@zmedico zmedico added the bug Something isn't working label Jul 27, 2024
@zmedico zmedico changed the title gator: null securityContext combined with MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). gator: null initContainer combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). Jul 27, 2024
@zmedico zmedico changed the title gator: null initContainer combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). gator: null initContainers combined with securityContext MustNotExist pathTest triggers error: mismatch between path entry (type: List) and received object (type: <nil>). Jul 27, 2024
@stale Stale
Copy link

stale bot commented Sep 29, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 29, 2024
@ritazh ritazh removed the stale label Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ritazh @zmedico