due to company policies I have to replace my Kyverno rules by OPA ones. One of my rule is, that I want to add all pods of a specific namespace to our service-mesh (we're using Kuma) So for this I have to add the following annotations/labels
metadata:
labels:
kuma.io/mesh: mesh
annotations:
kuma.io/sidecar-injection: enabled
so my gatekeeper rule looks the following (it is WIP ;) )
apiVersion: mutations.gatekeeper.sh/v1beta1
kind: AssignMetadata
metadata:
name: demo-annotation-owner
spec:
match:
scope: Namespaced
kinds:
- apiGroups: [""]
kinds: ["Pod"]
location: "metadata.annotations.kuma.io/sidecar-injection"
parameters:
assign:
value: "enabled"
the request gets rejected with the following error in the kube-apiserver
rejected by webhook "validation.gatekeeper.sh": &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:"", Continue:"", RemainingItemCount:(*int64)(nil)}, Status:"Failure", Message:"admission webhook \"validation.gatekeeper.sh\" denied the request: invalid location format for AssignMetadata demo-annotation-owner: metadata.annotations.kuma.io/sidecar-injection: unexpected token: expected '.' or eof, got: ERROR: \"/\"", Reason:"", Details:(*v1.StatusDetails)(nil), Code:422}}
Replacing the location by metadata.annotations.test is accepted by the apiserver, but that does not help me much as you can imagine.
So my question is - did I do a big flaw or what is the way of creating annotations/labels in OPA by the mutating webhook with a slash in it's name?
Many thanks
Just replace the slash /
by ~1
location: "metadata.annotations.kuma.io~1sidecar-injection"
Or wrap it by ""
location: 'metadata.annotations."kuma.io/sidecar-injection"'