Allow setting validationFailureActionOverrides for policies (#3201)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
2025-03-31 03:45:17 +00:00 · 2022-02-09 03:24:35 -05:00 · 2022-02-09 03:24:35 -05:00 · 3f1a0bfd6c
commit 3f1a0bfd6c
parent 9661ea8584
21 changed files with 78 additions and 0 deletions
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@ -67,6 +67,7 @@ The following table lists the configurable parameters of the kyverno chart and t
 | `podSecurityPolicies`              | Policies to include when `podSecurityStandard` is set to `custom`                                                                                                                                                                                        | `[]`                                                                                                                                                                                                                                                                     |
 | `policyExclude`              | Exclude resources from individual policies                                                                                                                                                                                        | `{}`                                                                                                                                                                                                                                                                     |
 | `validationFailureAction`          | set to get response in failed validation check. Supported values are `audit` and `enforce`. See: https://kyverno.io/docs/writing-policies/validate/                                                                                                      | `audit`                                                                                                                                                                                                                                                                  |
 | `validationFailureActionOverrides`          | Set validate failure action overrides to either all policies or select policies. See: https://kyverno.io/docs/writing-policies/validate/                                                                                                      | `{}`                                                                                                                                                                                                                                                                  |
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
--- a/charts/kyverno-policies/ci/test-values.yaml
+++ b/charts/kyverno-policies/ci/test-values.yaml
@ -1,6 +1,15 @@
 podSecurityStandard: restricted
 includeOtherPolicies:
 - require-non-root-groups
 validationFailureActionOverrides:
  all:
    - action: audit
      namespaces:
        - ingress-nginx
  disallow-host-path:
    - action: audit
      namespaces:
        - fluent
 policyExclude:
  disallow-host-path:
    any:
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@ -19,6 +19,9 @@ metadata:
      Adding capabilities beyond those listed in the policy must be disallowed.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: adding-capabilities
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@ -20,6 +20,9 @@ metadata:
      fields which make use of these host namespaces are unset or set to `false`.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: host-namespaces
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@ -19,6 +19,9 @@ metadata:
      and should not be allowed. This policy ensures no hostPath volumes are in use.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: host-path
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@ -19,6 +19,9 @@ metadata:
      field is unset or set to `0`. 
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: host-ports-none
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@ -20,6 +20,9 @@ metadata:
      the `hostProcess` field, if present, is set to `false`.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: host-process-containers
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@ -18,6 +18,9 @@ metadata:
      ensures Pods do not call for privileged mode.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: privileged-containers
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@ -20,6 +20,9 @@ metadata:
      server.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: check-proc-mount
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@ -18,6 +18,9 @@ metadata:
      ensures that the `seLinuxOptions` field is undefined.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: selinux-type
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@ -21,6 +21,9 @@ metadata:
      specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: app-armor
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@ -20,6 +20,9 @@ metadata:
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  rules:
    - name: check-seccomp
      match:
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@ -22,6 +22,9 @@ metadata:
      a Pod.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: check-sysctls
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@ -20,6 +20,9 @@ metadata:
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: check-runasgroup
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@ -20,6 +20,9 @@ metadata:
      all containers must explicitly drop `ALL` capabilities.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: require-drop-all
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@ -18,6 +18,9 @@ metadata:
      This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: privilege-escalation
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@ -18,6 +18,9 @@ metadata:
      `runAsUser` is either unset or set to a number greater than zero.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: run-as-non-root-user
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@ -19,6 +19,9 @@ metadata:
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: run-as-non-root
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@ -22,6 +22,9 @@ metadata:
 spec:
  background: true
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  rules:
    - name: check-seccomp-strict
      match:
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@ -21,6 +21,9 @@ metadata:
      This policy blocks any other type of volume other than those in the allow list.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: true
  rules:
    - name: restricted-volumes
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@ -13,6 +13,20 @@ includeOtherPolicies: []
 # Supported values- `audit`, `enforce`
 # For more info- https://kyverno.io/docs/writing-policies/validate/
 validationFailureAction: audit
 # Define validationFailureActionOverrides for specific policies.
 # The overrides for 'all' will apply to all policies
 # Eg:
 # validationFailureActionOverrides:
 #   all:
 #     - action: audit
 #       namespaces:
 #         - ingress-nginx
 #   disallow-host-path:
 #     - action: audit
 #       namespaces:
 #         - fluent
 validationFailureActionOverrides:
  all: []
 # Exclude resources from individual policies
 # Eg:
 # policyExclude: