kube-mgmt: trouble loading policy, kube-mgmt logs throwing error

I am trying to roll out opa with helm chart. The chart was successfully rolled out but now I am having trouble enforcing the policy.

Version of Kubernetes: k8s- v1.15.6 opa- opa:0.15.1 kube-mgmt- 0.10

What happened: my config map looks like this

Name:         admission-control
Namespace:    opa-test
Labels:       openpolicyagent.org/policy=rego
Annotations:  openpolicyagent.org/policy-status: {"status":"ok"}

Data
====
admission-policy.rego:
----
package kubernetes.admission

deny[reason] {
  some container
  input_containers[container]
  not startswith(container.image, "docker-integration.cernerrepos.net")
  reason := "container image refers to wrong registry, must be from docker-integration.cernerrepos.net"
}

input_containers[container] {
  container := input.request.object.spec.containers[_]
}

input_containers[container] {
  container := input.request.object.spec.template.spec.containers[_]
}

Events:  <none>


      - name: mgmt
          image: openpolicyagent/kube-mgmt:0.10
          imagePullPolicy: IfNotPresent
          resources:
            {}
            
          args:
            - --opa-auth-token-file=/bootstrap/mgmt-token
            - --opa-url=http://127.0.0.1:8181/v1
            - --replicate-path=kubernetes
            - --enable-data=false
            - --enable-policies=true
            - --policies=opa-test
            - --require-policy-label=true

I went ahead and looked up my kube-mgmt logs and it shows-

time="2020-01-27T22:55:11Z" level=warning msg="First line of log stream."
E0127 23:03:12.799556       1 streamwatcher.go:109] Unable to decode an event from the watch stream: unable to decode watch event: no kind "Status" is registered for version "v1" in scheme "github.com/open-policy-agent/kube-mgmt/pkg/configmap/configmap.go:102"
E0127 23:04:53.804350       1 streamwatcher.go:109] Unable to decode an event from the watch stream: unable to decode watch event: no kind "Status" is registered for version "v1" in scheme "github.com/open-policy-agent/kube-mgmt/pkg/configmap/configmap.go:102"

What you expected to happen:

Expected the policy to be enforced

I am not sure of this logs I am seeing here in kube-mgmt.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 33 (15 by maintainers)

Most upvoted comments

Ah, that bundle part was really confusing and throwing me out. I tried to remove it but then I was getting a 404 because I was missing main.rego config map. Got it now. Thank you for all your help and time. Really appreciate it!!! This is not very intuitive for a new user, I have seen some other people posting similar questions on their github. So I will make p/r to upadate the helm opa readme with this information.

+1
AnjaliRajan24 on Feb 1, 2020
Read more comments on GitHub
← kube-mgmt: kube-mgmt throwing errors when pod has been running for quite some time
opa: fatal error: concurrent map iteration and map write →