A Bug in the VAP engine regarding DELETE behavior.

[Hlinbit]

What steps did you take and what happened:
The template:

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sservicedeleteprotection
  annotations:
    description: "Prevent Services in specified namespaces from being deleted."
spec:
  crd:
    spec:
      names:
        kind: K8sServiceDeleteProtection
      validation:
        legacySchema: true
        openAPIV3Schema:
          type: object
          properties:
            protectedNamespaces:
              type: array
              description: "Namespaces in which Service deletion is denied."
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      operations: ["DELETE"]
      code:
        - engine: K8sNativeValidation
          source:
            generateVAP: true
            validations:
              # Pass: Non-Service resources or resources outside protected namespaces.
              - expression: >-
                  !has(variables.anyObject) || !has(variables.anyObject.metadata)
                  || variables.anyObject.kind != 'Service'
                  || !variables.params.protectedNamespaces.exists(n, n == variables.anyObject.metadata.namespace)
                messageExpression: >-
                  "Deleting Service in protected namespace is not allowed: "
                  + variables.anyObject.metadata.namespace
                  + "/" + variables.anyObject.metadata.name

Generated VAP(Some irrelevant content has been omitted.):

spec:
    matchConstraints:
    matchPolicy: Equivalent
    namespaceSelector: {}
    objectSelector: {}
    resourceRules:
    - apiGroups:
      - '*'
      apiVersions:
      - '*'
      operations:
      - CREATE
      - UPDATE
      resources:
      - '*'
      scope: '*'
  paramKind:
    apiVersion: constraints.gatekeeper.sh/v1beta1
    kind: K8sServiceDeleteProtection
  validations:
  - expression: '!has(variables.anyObject) || !has(variables.anyObject.metadata) ||
      variables.anyObject.kind != ''Service'' || !variables.params.protectedNamespaces.exists(n,
      n == variables.anyObject.metadata.namespace)'
    messageExpression: '"Deleting Service in protected namespace is not allowed: "
      + variables.anyObject.metadata.namespace + "/" + variables.anyObject.metadata.name'
  variables:
  - expression: 'has(request.operation) && request.operation == "DELETE" && object
      == null ? oldObject : object'
    name: anyObject
  - expression: '!has(params.spec) ? null : !has(params.spec.parameters) ? null: params.spec.parameters'
    name: params

What did you expect to happen:
Expected generated VAP(Some irrelevant content has been omitted.):

spec:
    matchConstraints:
    matchPolicy: Equivalent
    namespaceSelector: {}
    objectSelector: {}
    resourceRules:
    - apiGroups:
      - '*'
      apiVersions:
      - '*'
      operations:
      - DELETE
      resources:
      - '*'
      scope: '*'

Anything else you would like to add:

Environment:

• Gatekeeper version: v3.21.1
• Kubernetes version: v1.35.1 (kind)

[JaydipGabani]

Thanks for reporting this!

Root Cause

The behavior you're seeing depends on the --sync-vap-enforcement-scope flag, which controls how the generated VAP's operations are determined.

In v3.21, this flag defaults to false. When disabled, a default set of operations (CREATE, UPDATE) is hardcoded into the generated VAP, regardless of what operations are specified in the ConstraintTemplate. This is the bug you're observing.

Resolution

To get DELETE operations working correctly in the generated VAP, you need two Helm/flag changes:

1. Enable --sync-vap-enforcement-scope — This tells Gatekeeper to synchronize the VAP's enforcement scope with the webhook configuration, including respecting the CT's operations field.

2. Enable enableDeleteOperations: true in your Helm values — By default, Gatekeeper's validating webhook only handles CREATE and UPDATE. The generated VAP's operations are computed as the intersection of the webhook's operations and the CT's operations. If the webhook doesn't include DELETE, then a CT with operations: ["DELETE"] will have no matching operations and the VAP won't be created.