Skip to content

Support DELETE operation type when generate VAP #3902

New issue
New issue
Open
#4030
Open
Support DELETE operation type when generate VAP#3902
#4030
Assignees
DahuKJaydipGabani
Labels
VAPenhancementNew feature or request
Milestone
 
v3.21.0
@DahuK

Description

@DahuK
DahuK
opened on Apr 9, 2025

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

We are trying to migrate Rego policies to VAP using this Integration with Kubernetes Validating Admission Policy, in our current testing, it appears that VAP rules for DELETE operations cannot be generated (possibly refer to L693), I am curious why other operation types (e.g., DELETE) are not yet supported here? and is there any plan to expand support for additional types? Thanks!

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

This is our expected VAP policy, which is used to provide deletion protection for namespace or other resource types

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: namespace-delete-protection
spec:
  failurePolicy: Faikubectl
  matchConstraints:
    resourceRules:
    - apiGroups: ["*"]
      apiVersions: ["*"]
      operations: ["DELETE"]
      resources: ["namespaces"]
  validations:
  - expression: '!oldObject.metadata.name.startsWith("xxxx")'
    messageExpression: '"Namespace " + oldObject.metadata.name + " is not allowed to be deleted."'

and the generated unavailable policy is below:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: gatekeeper-namespacesdeleteprotection
  ownerReferences:
  - apiVersion: templates.gatekeeper.sh/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: ConstraintTemplate
    name: namespacesdeleteprotection
spec:
  failurePolicy: Fail
  matchConditions:
  - expression: "\n\t!has(params.spec) ? true: (\n\t\t!has(params.spec.match) ? true:
      (\n\t\t\t!has(params.spec.match.excludedNamespaces) ? true : (\n\t\t\t\t[object,
      oldObject].exists(obj,\n\t\t\t\t\tobj != null && (\n\t\t\t\t\t\t// cluster-scoped
 ....
    name: gatekeeper_internal_match_kinds
  matchConstraints:
    matchPolicy: Equivalent
    namespaceSelector: {}
    objectSelector: {}
    resourceRules:
    - apiGroups:
      - '*'
      apiVersions:
      - '*'
      operations:
      - CREATE
      - UPDATE
      resources:
      - '*'
      scope: '*'
  paramKind:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: NamespacesDeleteProtection
 .....

Environment:

  • Gatekeeper version: v3.18.2
  • Kubernetes version: (use kubectl version): 1.32.1

Metadata

Metadata

Assignees

Labels

VAPenhancementNew feature or request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions