What steps did you take and what happened:
I installed Gatekeeper via the helm-chart with disableAudit: true.
I then created ConstraintTemplate manifests (example below).
At this point I expect kubectl get crd k8singressmeshonly.constraints.gatekeeper.sh to show up but it does not. The metric gatekeeper_constraint_templates{status="error"} shows all error for all my ConstraintTemplates.
I change disableAudit: false and do a helm upgrade to apply the audit Deployment.
As soon as audit pods come up, the ConstraintTemplate CRDs appear.
What did you expect to happen:
Gatekeeper install with disableAudit: true should allow ConstraintTemplates to function as expected.
Anything else you would like to add:
Example ConstraintTemplate
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8singressmeshonly
spec:
crd:
spec:
names:
kind: K8sIngressMeshOnly
validation:
openAPIV3Schema:
type: object
properties: {}
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8singressmeshonly
violation[{"msg": msg}] {
msg := sprintf("%v not allowed in mesh-only namespace %q", [input.review.kind.kind, input.review.object.metadata.namespace])
}Logs
{"level":"error","ts":1775156063.9511178,"logger":"controller","msg":"error adding template to watch registry","kind":"ConstraintTemplate","process":"constraint_template_controller","name":"k8singressmeshonly","crdName":"k8singressmeshonly.constraints.gatekeeper.sh","error":"getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=K8sIngressMeshOnly no matches for kind \"K8sIngressMeshOnly\" in version \"constraints.gatekeeper.sh/v1beta1\"","stacktrace":"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate.(*ReconcileConstraintTemplate).handleUpdate\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate/constrainttemplate_controller.go:508\ngithub.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate.(*ReconcileConstraintTemplate).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate/constrainttemplate_controller.go:434\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:216\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:461\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:296"}
{"level":"error","ts":1775156063.9511561,"logger":"controller","msg":"handle update error","kind":"ConstraintTemplate","process":"constraint_template_controller","template_name":"k8singressmeshonly","error":"getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=K8sIngressMeshOnly no matches for kind \"K8sIngressMeshOnly\" in version \"constraints.gatekeeper.sh/v1beta1\"","stacktrace":"github.com/open-policy-agent/gatekeeper/v3/pkg/controller/constrainttemplate.(*ReconcileConstraintTemplate).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/pkg/controller/constrainttemplate/constrainttemplate_controller.go:436\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:216\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:461\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:296"}
{"level":"error","ts":1775156063.9511933,"msg":"Reconciler error","controller":"constrainttemplate-controller","object":{"name":"k8singressmeshonly"},"namespace":"","name":"k8singressmeshonly","reconcileID":"4df701bf-10b6-45ae-9cf5-414c7a6e444d","error":"getting informer for kind: constraints.gatekeeper.sh/v1beta1, Kind=K8sIngressMeshOnly no matches for kind \"K8sIngressMeshOnly\" in version \"constraints.gatekeeper.sh/v1beta1\"","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:474\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:421\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/go/src/github.com/open-policy-agent/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:296"}
Environment:
- Gatekeeper version: v3.21.1
- Kubernetes version: (use
kubectl version): v1.32.11
What steps did you take and what happened:
I installed Gatekeeper via the helm-chart with
disableAudit: true.I then created ConstraintTemplate manifests (example below).
At this point I expect
kubectl get crd k8singressmeshonly.constraints.gatekeeper.shto show up but it does not. The metricgatekeeper_constraint_templates{status="error"}shows all error for all my ConstraintTemplates.I change
disableAudit: falseand do a helm upgrade to apply the audit Deployment.As soon as audit pods come up, the ConstraintTemplate CRDs appear.
What did you expect to happen:
Gatekeeper install with
disableAudit: trueshould allow ConstraintTemplates to function as expected.Anything else you would like to add:
Example ConstraintTemplate
Logs
Environment:
kubectl version): v1.32.11