messageExpression ignored when more than one violation detected #684
Description
OPA Gatekeeper versions: v3.18.2, v3.20.1
I have observed working with the K8sPSPHostFilesystem constraint template that often the reported error is the following default error message rather than the one defined in the messageExpression property:
message: 'failed expression: (has(request.operation) && request.operation == "UPDATE")
|| size(variables.badHostPaths) == 0'
I've made a few tests and discovered that I have this message when more than one volume is in violation of the rule. If I ensure only one volume is defined in my test pod I retrieve the expected message:
message: 'HostPath volume { hostPath: { path : /var/log }, name: varlog} is not
allowed, pod: bad-hostpaths. Allowed path: /usr/share/zoneinfo, readOnly: true}'
If I edit the constraint template to replace the newline character, it then works as expected:
# Edited line in constraint template
messageExpression: variables.badHostPaths.join(" +++ ")
message: 'HostPath volume { hostPath: { path : /var/log }, name: varlog} is not
allowed, pod: bad-hostpaths. Allowed path: /usr/share/zoneinfo, readOnly: true}
+++ HostPath volume { hostPath: { path : /etc/machine-id }, name: etcmachineid}
is not allowed, pod: ba...'
It is unclear to me whether this is a known limitation of OPA Gatekeeper, if this behaviour is by design or should actually be fixed. In the latter case, it is unclear to me whether it should be adressed here in the constraint definitions, or in Gatekeeper itself (or its dependencies). Maybe it is already documented and I have missed this piece of information?