Issue #187 - bug - gatekeeper expander - wrong event_type set for generated inform-gatekeeper-admission-* ConfigurationPolicy

[itewk]

Resolves issue #187

[dhaiducek]

/hold

[dhaiducek]

@itewk It's not actually incorrect. The event_type for admission events is indeed violation:

https://github.com/open-policy-agent/gatekeeper/blob/0a4851a975d25003218a23b8a70217f759f2454f/pkg/webhook/policy.go#L297

However, we'd welcome a contribution to add the violation_audit to the expander.

[mprahl]

Thanks for catching that @dhaiducek!

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: itewk
Once this PR has been reviewed and has the lgtm label, please ask for approval from dhaiducek. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dhaiducek]

The simplest thing might be to just add it as another object-template. What would you think of that, @itewk?

Suggested change

	},
	},
	{
	"complianceType": "mustnothave",
	"objectDefinition": map[string]interface{}{
	"apiVersion": "v1",
	"kind": "Event",
	"annotations": map[string]interface{}{
	"constraint_action": "deny",
	"constraint_kind": constraintKind,
	"constraint_name": constraintName,
	"event_type": "violation_audited",
	},
	},
	},

[itewk]

yeah. but im also fighting with the hard coded namespaceSelector and the note left behind about "futer improvements needed". its annoying having namepsaces /excludedNamespaces set in my constraint (both at the gatekeeper and OPM level) but then those don't propigate to the generated ConfigurationPolicy(s) which ar harded cluded eclude/includes.

i am going to keep playing with it to see if i can get the behavor i would expect.

[itewk]

aaah. okay.