In version 3.18.2, gator is not properly parsing enforcementAction

[mmmommm]

What steps did you take and what happened:
I am using gatekeeper's vap / vapb integration to reflect vap / vapb in the cluster. I'm trying to use gator to test the constraint / template resources for creating vap / vapb, but the tests are behaving differently than expected, possibly because enforcementAction is not being parsed correctly.

All the manifests and procedures of the constraintTemplate follow the demo.
and the manifests for various suites executed by gator are as follows:

demo/scoped-enforcement-actions/suite.yaml

apiVersion: test.gatekeeper.sh/v1alpha1
kind: Suite
metadata:
  name: all-must-have-owner
tests:
  - name: all-must-have-owner
    template: k8srequiredlabels_template_usevap.yaml.yaml
    constraint: owner_must_be_provided_usevap.yaml.yaml
    cases:
      - name: success-ns
        object: testdata/success-ns.yaml
        assertions:
          - violations: 0
      - name: error-ns
        object: testdata/error-ns.yaml
        assertions:
          - violations: 2

demo/scoped-enforcement-actions/testdata/error-ns.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: error

demo/scoped-enforcement-actions/testdata/success-ns.yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: success
  labels:
    "owner": "test.agilebank.demo"

The command to run gator is:
gator verify -v demo/scoped-enforcement-actions/suite.yaml

The result is following violations is not occur:

=== RUN   privileged-and-hostpath-restriction
    === RUN   allowed-ns
    --- PASS: allowed-ns        (0.005s)
    === RUN   error-ns
    --- FAIL: error-ns  (0.005s)
        unexpected number of violations: got 0 violations but want exactly 2: got messages []
--- FAIL: privileged-and-hostpath-restriction   (0.025s)
FAIL    ./manifests/validating-admission-policy/test/suite.yaml 0.025s
FAIL

Error: FAIL

When commenting out enforcementAction: scoped in owner_must_be_provided_usevap.yaml and running again, the result is:

=== RUN   all-must-have-owner
    === RUN   allowed-ns
    --- PASS: allowed-ns        (0.007s)
    === RUN   error-ns
    --- PASS: error-ns  (0.004s)
--- PASS: all-must-have-owner   (0.026s)
ok      ./manifests/validating-admission-policy/test/suite.yaml 0.026s
PASS

What did you expect to happen:

enforcementAction is correctly interpreted and the test is executed.

Anything else you would like to add:
I verified the issue locally using three methods:
Installing gator via go install:
go install github.com/open-policy-agent/gatekeeper/v3/cmd/gator@v3.18.2 && gator verify *

Install via brew:

$ brew install gator
$ gator -v
gator version 3.18.2 (Feature State: beta), opa/v0.68.0, frameworks/v0.0.0-20241101234656-e78c8abd754a

Using a Docker container:
docker run ghcr.io/open-policy-agent/gator:v3.18.2 verify *

In all three cases, the issue was reproducible.

Environment:

• Gatekeeper version: v3.18.2
• Kubernetes version: (use kubectl version):

$ kubectl version
Client Version: v1.31.2
Kustomize Version: v5.4.2
Server Version: v1.31.2

[JaydipGabani]

@mmmommm This is because gator.gatekeeper.sh enforcementPoint is not included in constraint, here is where you can find out more about gator enforcementPoint - https://open-policy-agent.github.io/gatekeeper/website/docs/enforcement-points/#deny-in-shift-left-and-warn-at-admission.

Removing scoped enforcement action means enforcing all enforcement points, it will result in enforcing constraints through gator. gator-cli only looks for constraint with gator.gatekeeper.sh enforcement point -

gatekeeper/pkg/gator/test/test.go

Line 52 in 682a493

args = append(args, constraintclient.Driver(driver), constraintclient.EnforcementPoints(util.GatorEnforcementPoint))

Hence this is not a bug, but rather an intented behavior.