diff --git a/definitions/install.yaml b/definitions/install.yaml index 9f0ffce05b..20e53989dc 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -26,8 +26,8 @@ spec: validationFailureAction: type: string enum: - - enforce # blocks the resorce api-reques if a rule fails. Default behavior - - audit # allows resource creationg and reports the failed validation rules as violations + - enforce # blocks the resorce api-reques if a rule fails. + - audit # allows resource creation and reports the failed validation rules as violations. Default rules: type: array items: diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index 95f5213869..028aa8d3c2 100644 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -26,8 +26,8 @@ spec: validationFailureAction: type: string enum: - - enforce # blocks the resorce api-reques if a rule fails. Default behavior - - audit # allows resource creationg and reports the failed validation rules as violations + - enforce # blocks the resorce api-reques if a rule fails. + - audit # allows resource creationg and reports the failed validation rules as violations. Default rules: type: array items: diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 6b9983a9c7..7de08701fc 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -10,6 +10,9 @@ kind : ClusterPolicy metadata : name : policy spec : + # 'enforce' to block resource request if any rules fail + # 'audit' to allow resource request on failure of rules, but create policy violations to report them + validationFailureAction: enforce # Each policy has a list of rules applied in declaration order rules: # Rules must have a unique name diff --git a/pkg/engine/response.go b/pkg/engine/response.go index e69b507b39..b78d69af3b 100644 --- a/pkg/engine/response.go +++ b/pkg/engine/response.go @@ -25,7 +25,7 @@ type PolicyResponse struct { PolicyStats `json:",inline"` // rule response Rules []RuleResponse `json:"rules"` - // ValidationFailureAction: audit,enforce(default) + // ValidationFailureAction: audit(default if not set),enforce ValidationFailureAction string } diff --git a/pkg/webhooks/policymutation.go b/pkg/webhooks/policymutation.go index 25896d8b36..e0c8d8faf9 100644 --- a/pkg/webhooks/policymutation.go +++ b/pkg/webhooks/policymutation.go @@ -60,9 +60,9 @@ func generateJSONPatchesForDefaults(policy *kyverno.ClusterPolicy) ([]byte, []st } func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, string) { - // default ValidationFailureAction to "enforce" if not specified + // default ValidationFailureAction to "audit" if not specified if policy.Spec.ValidationFailureAction == "" { - glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, BlockChanges) + glog.V(4).Infof("defaulting policy %s 'ValidationFailureAction' to '%s'", policy.Name, Audit) jsonPatch := struct { Path string `json:"path"` Op string `json:"op"` @@ -70,15 +70,15 @@ func defaultvalidationFailureAction(policy *kyverno.ClusterPolicy) ([]byte, stri }{ "/spec/validationFailureAction", "add", - BlockChanges, //enforce + Audit, //audit } patchByte, err := json.Marshal(jsonPatch) if err != nil { - glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", BlockChanges, policy.Name) + glog.Errorf("failed to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name) return nil, "" } - glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", BlockChanges, policy.Name) - return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", BlockChanges) + glog.V(4).Infof("generate JSON Patch to set default 'ValidationFailureAction' to '%s' for policy %s", Audit, policy.Name) + return patchByte, fmt.Sprintf("default 'ValidationFailureAction' to '%s'", Audit) } return nil, "" } diff --git a/pkg/webhooks/utils.go b/pkg/webhooks/utils.go index 5c658553ce..f96d800ce9 100644 --- a/pkg/webhooks/utils.go +++ b/pkg/webhooks/utils.go @@ -18,16 +18,16 @@ func isResponseSuccesful(engineReponses []engine.EngineResponseNew) bool { return true } -// returns true -> if there is even one policy that blocks resource requst +// returns true -> if there is even one policy that blocks resource request // returns false -> if all the policies are meant to report only, we dont block resource request func toBlockResource(engineReponses []engine.EngineResponseNew) bool { for _, er := range engineReponses { - if er.PolicyResponse.ValidationFailureAction != ReportViolation { - glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource ceation", er.PolicyResponse.Policy) + if er.PolicyResponse.ValidationFailureAction == Enforce { + glog.V(4).Infof("ValidationFailureAction set to enforce for policy %s , blocking resource request ", er.PolicyResponse.Policy) return true } } - glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource creation, reporting with violation") + glog.V(4).Infoln("ValidationFailureAction set to audit, allowing resource request, reporting with policy violation") return false } @@ -78,8 +78,8 @@ func getApplicableKindsForPolicy(p *kyverno.ClusterPolicy) []string { // Policy Reporting Modes const ( - BlockChanges = "enforce" - ReportViolation = "audit" + Enforce = "enforce" // blocks the request on failure + Audit = "audit" // dont block the request on failure, but report failiures as policy violations ) func processResourceWithPatches(patch []byte, resource []byte) []byte {