set default ValidationFailureAction to 'audit'

2025-03-31 03:45:17 +00:00 · 2019-09-06 10:18:45 -07:00 · 2019-09-06 10:18:45 -07:00 · 2669b0ae6b
commit 2669b0ae6b
parent ff60dc05fd
6 changed files with 20 additions and 17 deletions
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -26,8 +26,8 @@ spec:
            validationFailureAction:
              type: string
              enum: 
-              - enforce # blocks the resorce api-reques if a rule fails. Default behavior
-              - audit # allows resource creationg and reports the failed validation rules as violations
+              - enforce # blocks the resorce api-reques if a rule fails.
+              - audit # allows resource creation and reports the failed validation rules as violations. Default
            rules:
              type: array
              items:
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -26,8 +26,8 @@ spec:
            validationFailureAction:
              type: string
              enum: 
-              - enforce # blocks the resorce api-reques if a rule fails. Default behavior
-              - audit # allows resource creationg and reports the failed validation rules as violations
+              - enforce # blocks the resorce api-reques if a rule fails.
+              - audit # allows resource creationg and reports the failed validation rules as violations. Default
            rules:
              type: array
              items:
--- a/documentation/writing-policies.md
+++ b/documentation/writing-policies.md
@ -10,6 +10,9 @@ kind : ClusterPolicy
 metadata :
  name : policy
 spec :
+  # 'enforce' to block resource request if any rules fail
+  # 'audit' to allow resource request on failure of rules, but create policy violations to report them
+  validationFailureAction: enforce
  # Each policy has a list of rules applied in declaration order
  rules:
    # Rules must have a unique name
--- a/pkg/engine/response.go
+++ b/pkg/engine/response.go
@ -25,7 +25,7 @@ type PolicyResponse struct {
 	PolicyStats `json:",inline"`
 	// rule response
 	Rules []RuleResponse `json:"rules"`
-	// ValidationFailureAction: audit,enforce(default)
+	// ValidationFailureAction: audit(default if not set),enforce
 	ValidationFailureAction string
 }

--- a/pkg/webhooks/policymutation.go
+++ b/pkg/webhooks/policymutation.go
@ -60,9 +60,9 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st
 }

 func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) {
-	// default ValidationFailureAction to "enforce" if not specified
+	// default ValidationFailureAction to "audit" if not specified
 	if policy.Spec.ValidationFailureAction == "" {
-		glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, BlockChanges)
+		glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit)
 		jsonPatch := struct {
 			Path  string `json:"path"`
 			Op    string `json:"op"`
@ -70,15 +70,15 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri
 		}{
 			"/spec/validationFailureAction",
 			"add",
-			BlockChanges, //enforce
+			Audit, //audit
 		}
 		patchByte, err := json.Marshal(jsonPatch)
 		if err != nil {
-			glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", BlockChanges, policy.Name)
+			glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
 			return nil, ""
 		}
-		glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", BlockChanges, policy.Name)
-		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", BlockChanges)
+		glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name)
+		return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit)
 	}
 	return nil, ""
 }
--- a/pkg/webhooks/utils.go
+++ b/pkg/webhooks/utils.go
@ -18,16 +18,16 @@ func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool {
 	return true
 }

-// returns true -> if there is even one policy that blocks resource requst
+// returns true -> if there is even one policy that blocks resource request
 // returns false -> if all the policies are meant to report only, we dont block resource request
 func toBlockResource(engineReponses []engine.EngineResponseNew) bool {
 	for _, er := range engineReponses {
-		if er.PolicyResponse.ValidationFailureAction != ReportViolation {
-			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource ceation", er.PolicyResponse.Policy)
+		if er.PolicyResponse.ValidationFailureAction == Enforce {
+			glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy)
 			return true
 		}
 	}
-	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource creation, reporting with violation")
+	glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation")
 	return false
 }

@ -78,8 +78,8 @@ func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string {

 // Policy Reporting Modes
 const (
-	BlockChanges    = "enforce"
-	ReportViolation = "audit"
+	Enforce = "enforce" // blocks the request on failure
+	Audit   = "audit"   // dont block the request on failure, but report failiures as policy violations
 )

 func processResourceWithPatches(patch []byte, resource []byte) []byte {