Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rego policy with ExternalData Provider : undefined function external_data #854

Open
adriil opened this issue Aug 18, 2023 · 2 comments
Open

Rego policy with ExternalData Provider : undefined function external_data #854

adriil opened this issue Aug 18, 2023 · 2 comments
Labels
enhancement New feature or request question Further information is requested

Comments

@adriil
Copy link

adriil commented Aug 18, 2023
edited
Loading

Hi team,

I've a policy that uses external_data built-in function, but the compilation fails with undefined function external_data :

docker run --rm -v "${BASE}:/policies" "${CONFTEST_IMAGE}:v0.44.1" verify --report notes -p /policies/policy -d /policies/data

Error: running verification: load: loading policies: get compiler: 1 error occurred: /policies/policy/kubernetes/enforcesignedimage/policy.rego:28: rego_type_error: undefined function external_data
make: *** [conftest-test] Error 1
  • Policy :
package mypolicy

import data.lib.kubernetes

violation[{"msg": msg}] {
    # build a list of keys containing images
    images := containers[_].image
    count(images) > 0

    # send external data request
    response := external_data({"provider": "my-provider", "keys": images})

    response_with_error(response)
    msg := sprintf("Issue from provider : %v", [response])
}

response_with_error(response) {
    count(response.errors) > 0
}

response_with_error(response) {
    count(response.system_error) > 0
}

Does conftest support external_data or can we only use this along with Gatekeeper ? I understand that the actual call can't be done and will need to be mocked, but at least having the function recognised would help.

Thanks,
Adrien
@boranx
Copy link
Member

boranx commented Aug 21, 2023

Hi, thanks for reporting the issue

At first glance, this built-in is implemented for gatekeeper's internals: https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata/#motivation. Similar to external_data's functionality in gatekeeper, we could lean on OPA's http.send in Conftest and manually download/upload artifacts using http calls (it'd be supported by default, as long as it's not restricted via capabilities)

Nevertheless, if it's a must/nice-to-have requirement, then we could consider either adding this to Conftest built-ins: https://github.com/open-policy-agent/conftest/tree/master/builtins OR sending the built-in from gatekeeper to OPA upstream in a way Conftest could inherit as well

@boranx boranx added enhancement New feature or request question Further information is requested labels Aug 21, 2023
@pedroapero
Copy link

pedroapero commented Oct 19, 2023
edited
Loading

Hi, thanks for the hint @boranx.
I stumbled upon the same with is_exempt() (part of each lib_exclude_update.rego file in the gatekeeper library).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pedroapero @boranx @adriil