Kubernetes: Trying to load OPA policy via kube-mgmt by creating a configmap containing the policy but the configmap has none as annotation

Question

Wished Behavior

1. Write OPA policy which check if image-name contain default latest tag. The following is my .rego file :

package kubernetes.admission

import data.kubernetes.namespaces


deny[msg] {
    input.request.kind.kind == "Pod"
    input.request.operation == "CREATE"
    container := input.request.object.spec.containers[_]
    [image_name, image_tag] := split(container.image, ":")
    image_tag == "latest"
    msg := sprintf("Invalid image tag")
}

2. Load the policy by creating a configmap. I used the following command:

kubectl create configmap registry-whitelist --from-file image-checker.rego

The default namespace in my current context is opa.

3. After that it's supposed that I can exercise the policy by creating a pod with latest tag and it has to be rejected.

Actual Behavior

Pods with latest tags are created successfully and they are not rejected.

Steps to Reproduce the Problem

I followed these tips https://www.openpolicyagent.org/docs/latest/kubernetes-debugging/ .

So, it's expected that the created configmap registry-whitelist has openpolicyagent.org/policy-status as annotations, however it has <none> as value, also I have checked logs of kube-mgmt container however they didn't help me. The only interesting log i get is when i try to delete the configmap registry-whitelist I can see the following log :

level=error msg="Failed to delete policy opa/registry-whitelist/image-checker.rego: code resource_not_found: storage_not_found_error: policy id "opa/registry-whitelist/image-checker.rego""

Answer 1

Problem solved: actually my policy which is writen in rego had some errors this is why kube-mgmt took some time before adding the annotations to the new created configmap. After a while I found an annotation saying that my policy had errors .