From 6a49702d26769aaa07957b2abee480dc7e8fe1d3 Mon Sep 17 00:00:00 2001 From: Evan Vetere Date: Fri, 26 Jun 2026 22:57:52 -0400 Subject: [PATCH] fix: correct DLQ runbook CEL null-check guidance The documented remediation for cel_summary DLQ errors guarded only the root object (`has(audit.responseObject)`), which does not prevent `no such key: name` when responseObject is present but metadata.name is absent (DELETE, status subresource, and error/forbidden responses). Guard the full leaf path instead so the example actually fixes the failure it claims to. Refs #212 Key changes: - has(audit.responseObject.metadata.name) instead of has(audit.responseObject) - apply the same leaf-path guard to the spec.type DELETE example --- docs/runbooks/dlq/policy-dlq-errors.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/runbooks/dlq/policy-dlq-errors.md b/docs/runbooks/dlq/policy-dlq-errors.md index f4126987..274f2a5f 100644 --- a/docs/runbooks/dlq/policy-dlq-errors.md +++ b/docs/runbooks/dlq/policy-dlq-errors.md @@ -92,12 +92,15 @@ kubectl edit activitypolicy # After: has(audit.verb) && audit.verb == 'create' # 2. Add null checks for nested fields +# Guard the full leaf path, not just the root object: responseObject can be +# present while metadata.name is absent (DELETE, status subresource, error +# responses), which still raises "no such key: name". # Before: audit.responseObject.metadata.name -# After: has(audit.responseObject) ? audit.responseObject.metadata.name : audit.objectRef.name +# After: has(audit.responseObject.metadata.name) ? audit.responseObject.metadata.name : audit.objectRef.name # 3. Handle DELETE operations (no responseObject) # Before: {{ audit.responseObject.spec.type }} -# After: {{ has(audit.responseObject) ? audit.responseObject.spec.type : 'deleted' }} +# After: {{ has(audit.responseObject.spec.type) ? audit.responseObject.spec.type : 'deleted' }} ``` Policy update triggers immediate retry of all failed events.