Unable to deny namespace deletion.

[josephlim75]

What steps did you take and what happened:
Not able to prevent namespace deletion. Below are my OPA Gatekeeper version and constrainttemplate.

What did you expect to happen:
I expect when trying to delete a namespace, the constraint should prevent me from deleting.

Rego Template

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenynamespacedeletion
spec:
  crd:
    spec:
      names:
        kind: K8sDenyNamespaceDeletion
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenynamespacedeletion

        violation[{"msg": msg, "details": {}}] {
          input.request.kind.kind == "Namespace"
          input.request.operation == "DELETE"
          msg := "Deletion of namespace is not allowed. It is in the list of prohibited namespaces."
        }

Policy enforcement

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyNamespaceDeletion
metadata:
  name: policy-k8sdenynamespacedeletion
spec:
  match:
    kinds:
    - apiGroups:
      - ""
      kinds:
      - Namespace

Test Scenario

Scenario 1

• OPA Helmchart config

disableValidatingWebhook: true
enableDeleteOperations: true

Resuilt

kubectl create namespace dev
kubectl delete namespace dev
(SUCCESS)

Scenario 2

• OPA Helmchart config

disableValidatingWebhook: false
enableDeleteOperations: true

Resuilt

kubectl create namespace dev

Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": context deadline exceeded

Anything else you would like to add:

I have check the deployment is success but i can't create namespace when validatingwebhook is enabled.

I have noticed that the DELETE operation did not add into namespace resource, i'm not sure if this is needed. Does ValidatingWebhook required when trying to prevent namespace deletion ?

https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml#L115

Some help would greatly appreciate because currently i couldn't get namespace delete operation prevented and it still allow namespace to be deleted.

Environment:

• Gatekeeper version: v3.15.1
• Kubernetes version: (use kubectl version):

Client Version: v1.28.7
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.16-eks-2f46c53

[JaydipGabani]

@josephlim75 I think there is a bug in rego in the template. Try below template -

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenynamespacedeletion
spec:
  crd:
    spec:
      names:
        kind: K8sDenyNamespaceDeletion
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenynamespacedeletion

        violation[{"msg": msg, "details": {}}] {
          input.review.kind.kind == "Namespace"
          input.review.operation == "DELETE"
          msg := "Deletion of namespace is not allowed. It is in the list of prohibited namespaces."
        }

To enable validation of DELETE requests, just set enableDeleteOperations to true.