docs:Testing Policies for kubernetes.admission is misleading #1794

lxlxok · 2019-09-27T02:01:37Z

Doc in this page is misleading, https://www.openpolicyagent.org/docs/latest/kubernetes-primer/

Expected Behavior

Test case should not be affected by other policies in the same package.
Policy should looks like:

deny[msg] {  
image_deny
}

image_deny {
......
}

Test case should looks like:

test_image_safety {
...
   image_deny with input as unsafe_image 
}

Actual Behavior

https://play.openpolicyagent.org/p/Zdg4K921Vt

Since all the policy is logical disjunction. If we check test case throughcount(admission.deny) == 1 with input as unsafe_image we might have some problem, even the test case Pass.
Since the test case might be rejected by other policy in the same package kubernetes.admission

The text was updated successfully, but these errors were encountered:

tsandall · 2019-09-27T14:04:11Z

That's fair, however, I think we want the first example policy on the page to be as simple as possible. Factoring the logic into a helper rule might be a good idea but it also makes the first example more complicated. What we can do here is update the test to check for a specific message in the deny set so that other deny rules don't affect it.

…

On Thu, Sep 26, 2019 at 10:01 PM Xiao Li ***@***.***> wrote: Doc in this page is misleading, https://www.openpolicyagent.org/docs/latest/kubernetes-primer/ Expected Behavior Test case should not be affected by other policies in the same package. Policy should looks like: deny[msg] { image_deny } image_deny { ...... } Test case should looks like: test_image_safety { ... image_deny with input as unsafe_image } Actual Behavior https://play.openpolicyagent.org/p/Zdg4K921Vt Since all the policy is logical disjunction. If we check test case throughcount(admission.deny) == 1 with input as unsafe_image we might have some problem, even the test case Pass. Since the test case might be rejected by other policy in the same package kubernetes.admission — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1794?email_source=notifications&email_token=AAB2KJM57DXXEX7V267NADLQLVSQFA5CNFSM4I3A4BK2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HOBDJAA>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAB2KJMGSP4JVQY7N7CKFELQLVSQFANCNFSM4I3A4BKQ> .

-- -Torin

Fixes open-policy-agent#1794 Signed-off-by: Torin Sandall <torinsandall@gmail.com>

Fixes #1794 Signed-off-by: Torin Sandall <torinsandall@gmail.com>

tsandall added a commit to tsandall/opa that referenced this issue Sep 27, 2019

docs: Update Kubernetes primer test to avoid false-positives

63961d7

Fixes open-policy-agent#1794 Signed-off-by: Torin Sandall <torinsandall@gmail.com>

tsandall mentioned this issue Sep 27, 2019

docs: Update Kubernetes primer test to avoid false-positives #1795

Merged

tsandall closed this as completed in #1795 Sep 27, 2019

tsandall added a commit that referenced this issue Sep 27, 2019

docs: Update Kubernetes primer test to avoid false-positives

e542840

Fixes #1794 Signed-off-by: Torin Sandall <torinsandall@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs:Testing Policies for kubernetes.admission is misleading #1794

docs:Testing Policies for kubernetes.admission is misleading #1794

lxlxok commented Sep 27, 2019 •

edited

Loading

tsandall commented Sep 27, 2019 via email

docs:Testing Policies for kubernetes.admission is misleading #1794

docs:Testing Policies for kubernetes.admission is misleading #1794

Comments

lxlxok commented Sep 27, 2019 • edited Loading

Expected Behavior

Actual Behavior

tsandall commented Sep 27, 2019 via email

lxlxok commented Sep 27, 2019 •

edited

Loading