Cannot retrieve data.inventory data when resources are deleted by triggering namespace deletion

[peterbosalliandercom]

What steps did you take and what happened:
[A clear and concise description of what the bug is.]

We have the following constrainttemplate which works fine during create, update events. As soon as we keep the resource in the namespace and delete the whole namespace (like in ginkgo test) it cannot find the namespace label tenant on the namespace. (it is really there, believe me). Again the resources can be created, updated, patched deleted without any problem and the constraint works fine.

It looks to me that it cannot find the label here:
not data.inventory.cluster.v1.Namespace[namespace].metadata.labels.tenant

Error:

message: 'cannot remove finalizer from claim: cannot update object: admission
      webhook "validation.gatekeeper.sh" denied the request: 
      Namespace ''e2etest-e2etenantresources-r88tdp'' does not have a ''tenant'' label
      in the parent namespace'

ConstraintTemplate:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: providerconfigtenantiamroleconstraint
  annotations:
    metadata.gatekeeper.sh/requiresSyncData: |
      '[
        [
          {
            "groups": [""],
            "versions": ["v1"],
            "kinds": ["Namespace"]
          }
        ]
      ]'
spec:
  crd:
    spec:
      names:
        kind: ProviderConfigTenantIamRoleConstraint
      validation:
        legacySchema: false
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |-
        package providerconfigtenantiamroleconstraint

        import future.keywords.contains
        import future.keywords.if
        import future.keywords.in

        # Allowed kinds
        allowed_kinds := ["XXXX","YYYY"]

        # Violation collectors
        violating_kinds contains kind if {
            kind := input.review.kind.kind
            kind in allowed_kinds
        }

        violation[{"msg": msg}] {
          count(violating_kinds) > 0
          input.review.operation != "DELETE"

          resource := input.review.object
          namespace := resource.metadata.namespace

          # retrieve tenant label from parent namespace
          not data.inventory.cluster.v1.Namespace[namespace].metadata.labels.tenant

          msg := sprintf("Namespace '%s' does not have a 'tenant' label in the parent namespace", [input.review.object.metadata.namespace])
        }

What did you expect to happen:
It should not violate on the constraint.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• Gatekeeper version:
  gatekeeper = {
  chart = "gatekeeper",
  name = "gatekeeper",
  namespace = "gatekeeper-system",
  repository = "https://open-policy-agent.github.io/gatekeeper/charts",
  version = "3.15.1"
  },
• Kubernetes version: (use kubectl version):
  Client Version: version.Info{Major:"1", Minor:"27",
  Server Version: version.Info{Major:"1", Minor:"28+"

[maxsmythe]

You are deleting the namespace? Wouldn't that delete any objects in the containing namespace? Are you applying this constraint against the DELETE operation?

G8r likely removes the namespace from the cache when the DELETE for the namespace is observed.

It looks like you are attempting to exempt DELETE, but the operation that is being blocked is an UPDATE that would remove the finalizer. Unfortunately, the K8s API has no way to remove finalizers other than via UPDATE and there is no way to easily ensure that the only thing being modified by an UPDATE is removal of the finalizer. I'd request that K8s implement some method for admission webhooks to detect/allow pure finalizer updates, as this occurrence is not uncommon.

In the interim, you could alter the template to allow the request if the namespace is missing from the cache altogether.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.