Nomos vet fails to validate OPA Gatekeeper custom resource when ConstraintTemplate is in the same commit #1633
Description
When validating a set of Kubernetes configuration files using nomos vet, specifically involving OPA Gatekeeper resources, a validation failure occurs if a ConstraintTemplate (which defines a Custom Resource Definition) and a corresponding Constraint (an instance of the custom resource defined by the template) are present together in the same batch of files being validated (e.g., as part of a single commit or PR).
This behavior seems specific to Gatekeeper ConstraintTemplates. nomos vet does not exhibit the same failure when validating a standard CustomResourceDefinition object alongside an instance of its defined kind present in the same batch of files. It is likely that similar issues would occur with other tools that generate CRDs indirectly, such as kro.
This forces users to either split the ConstraintTemplate definition and its corresponding Constraint usage into separate commits/validation steps (which hinders atomic changes).
Steps to reproduce
- Install OPA gatekeeper
- run nomos vet on this example
kind: ConstraintTemplate
apiVersion: templates.gatekeeper.sh/v1
metadata:
name: validateuserinfo
spec:
crd:
spec:
names:
kind: ValidateUserInfo
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8svalidateuserinfo
violation[{"msg": msg}] {
username := input.review.userInfo.username
not startswith(username, "system:")
msg := sprintf("username is not allowed to perform this operation: %v", [username])
}
---
kind: ValidateUserInfo
apiVersion: constraints.gatekeeper.sh/v1
metadata:
name: always-validate- Error
Error: KNV1021: No CustomResourceDefinition is defined for the type "ValidateUserInfo.constraints.gatekeeper.sh" in the cluster.
Resource types that are not native Kubernetes objects must have a CustomResourceDefinition.
Config Sync will retry until a CustomResourceDefinition is defined for the type "ValidateUserInfo.constraints.gatekeeper.sh" in the cluster.
source: /workspaces/kpt-config-sync/philip/cluster/test.yaml
metadata.name: always-validate
group: constraints.gatekeeper.sh
version: v1
kind: ValidateUserInfo
For more information, see https://g.co/cloud/acm-errors#knv1021
Any ideas or thoughts on how we could unblock this? Maybe we could skip specific CRD API groups, or handle ConstraintTemplate similarly to how we handle CustomResourceDefinition. I would appreciate a workaround or fix as GKE "advertises" using Gatekeeper ConstraintTemplates and enabling Gatekeeper on a cluster with Policy Controller.