kubernetesopen-policy-agent

set annotation/label with slash (/) in mutating-webhook of opa-gatekeeper


due to company policies I have to replace my Kyverno rules by OPA ones. One of my rule is, that I want to add all pods of a specific namespace to our service-mesh (we're using Kuma) So for this I have to add the following annotations/labels

metadata:
  labels:
    kuma.io/mesh: mesh
  annotations:
    kuma.io/sidecar-injection: enabled

so my gatekeeper rule looks the following (it is WIP ;) )

apiVersion: mutations.gatekeeper.sh/v1beta1
kind: AssignMetadata
metadata:
  name: demo-annotation-owner
spec:
  match:
    scope: Namespaced
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  location: "metadata.annotations.kuma.io/sidecar-injection"
  parameters:
    assign:
      value: "enabled"

the request gets rejected with the following error in the kube-apiserver

 rejected by webhook "validation.gatekeeper.sh": &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:"", Continue:"", RemainingItemCount:(*int64)(nil)}, Status:"Failure", Message:"admission webhook \"validation.gatekeeper.sh\" denied the request: invalid location format for AssignMetadata demo-annotation-owner: metadata.annotations.kuma.io/sidecar-injection: unexpected token: expected '.' or eof, got: ERROR: \"/\"", Reason:"", Details:(*v1.StatusDetails)(nil), Code:422}}

Replacing the location by metadata.annotations.test is accepted by the apiserver, but that does not help me much as you can imagine.

So my question is - did I do a big flaw or what is the way of creating annotations/labels in OPA by the mutating webhook with a slash in it's name?

Many thanks


Solution

  • Just replace the slash / by ~1

      location: "metadata.annotations.kuma.io~1sidecar-injection"
    
    

    Or wrap it by ""

      location: 'metadata.annotations."kuma.io/sidecar-injection"'