OPA gateekeeper doesn't enforces policy.
I have installed the policy from https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/disallowedrepos/template.yaml and applied the constraint https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/disallowedrepos/samples/repo-must-not-be-k8s-gcr-io/constraint.yaml
the problem I'm facing is that gatekeeper detects the violation and writes to the log but doesn't denies the creation of the resource. I can still create a pod with wrong registry name.
kind: Pod
metadata:
name: kustomize-disallowed
spec:
containers:
- name: kustomize
image: k8s.gcr.io/kustomize/kustomize:v3.8.9
Log file
{"level":"info","ts":1705611801.8987546,"logger":"controller",
"msg":"container <kustomize> has an invalid image repo <k8s.gcr.io/kustomize/kustomize:latest>,
disallowed repos are [\"k8s.gcr.io/\"]",
"process":"audit","audit_id":"2024-01-18T21:03:20Z",
"details":{},"event_type":"violation_audited",
"constraint_group":"constraints.gatekeeper.sh",
"constraint_api_version":"v1beta1","constraint_kind":"K8sDisallowedRepos",
"constraint_name":"repo-must-not-be-k8s-gcr-io","constraint_namespace":"",
"constraint_action":"deny","constraint_annotations":{},"resource_group":"","resource_api_version":"v1",
"resource_kind":"Pod","resource_namespace":"default",
"resource_name":"kustomize-disallowed","resource_labels":null}
I installed gatekeeper using this command
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.14/deploy/gatekeeper.yaml
NAME READY STATUS RESTARTS AGE
gatekeeper-audit-7fb7b5997c-ksqlv 1/1 Running 1 (44m ago) 44m
gatekeeper-controller-manager-9b69bcf5d-7cxdw 1/1 Running 0 44m
gatekeeper-controller-manager-9b69bcf5d-d94kc 1/1 Running 0 44m
gatekeeper-controller-manager-9b69bcf5d-lgwd5 1/1 Running 0 44m