diff --git a/cmd/cli/kubectl-kyverno/apply/apply_command_test.go b/cmd/cli/kubectl-kyverno/apply/apply_command_test.go index bf57d40eb3..953f2db4f4 100644 --- a/cmd/cli/kubectl-kyverno/apply/apply_command_test.go +++ b/cmd/cli/kubectl-kyverno/apply/apply_command_test.go @@ -53,9 +53,9 @@ func Test_Apply(t *testing.T) { Summary: preport.PolicyReportSummary{ Pass: 1, Fail: 1, - Skip: 4, + Skip: 8, Error: 0, - Warn: 0, + Warn: 2, }, }, }, diff --git a/cmd/cli/kubectl-kyverno/utils/common/common.go b/cmd/cli/kubectl-kyverno/utils/common/common.go index 450a55f57c..5612e829d9 100644 --- a/cmd/cli/kubectl-kyverno/utils/common/common.go +++ b/cmd/cli/kubectl-kyverno/utils/common/common.go @@ -728,8 +728,16 @@ func ProcessValidateEngineResponse(policy v1.PolicyInterface, validateResponse * vrule.Status = report.StatusPass case response.RuleStatusFail: - rc.Fail++ - vrule.Status = report.StatusFail + ann := policy.GetAnnotations() + if scored, ok := ann[policyreport.ScoredLabel]; ok && scored == "false" { + rc.Warn++ + vrule.Status = report.StatusWarn + break + } else { + rc.Fail++ + vrule.Status = report.StatusFail + } + if !policyReport { if printCount < 1 { fmt.Printf("\npolicy %s -> resource %s failed: \n", policy.GetName(), resPath) diff --git a/pkg/policyreport/builder.go b/pkg/policyreport/builder.go index 5b8738fbc4..f8d45bb28c 100755 --- a/pkg/policyreport/builder.go +++ b/pkg/policyreport/builder.go @@ -313,7 +313,7 @@ func toPolicyResult(status response.RuleStatus) string { const categoryLabel string = "policies.kyverno.io/category" const severityLabel string = "policies.kyverno.io/severity" -const scoredLabel string = "policies.kyverno.io/scored" +const ScoredLabel string = "policies.kyverno.io/scored" type annotationValues struct { category string @@ -342,7 +342,7 @@ func (builder *requestBuilder) fetchAnnotationValues(policy, ns string) annotati if severity, ok := ann[severityLabel]; ok { av.setSeverityFromString(severity) } - if scored, ok := ann[scoredLabel]; ok { + if scored, ok := ann[ScoredLabel]; ok { if scored == "false" { av.scored = false } else { diff --git a/test/cli/apply/policies/policy.yaml b/test/cli/apply/policies/policy.yaml index 0b84e4aad5..b3df63354e 100644 --- a/test/cli/apply/policies/policy.yaml +++ b/test/cli/apply/policies/policy.yaml @@ -21,4 +21,36 @@ spec: pattern: spec: containers: - - image: "!*:latest" \ No newline at end of file + - image: "!*:latest" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: drop-all-capabilities + annotations: + policies.kyverno.io/scored: "false" +spec: + validationFailureAction: audit + rules: + - name: require-drop-all + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: >- + Containers must drop `ALL` capabilities. + foreach: + - list: request.object.spec.[ephemeralContainers, initContainers, containers][] + deny: + conditions: + all: + - key: ALL + operator: AnyNotIn + value: "{{ element.securityContext.capabilities.drop || '' }}" diff --git a/test/cli/test/depecated_apis/kyverno-test.yaml b/test/cli/test/depecated_apis/kyverno-test.yaml index b14e070173..e3b3ed3ab6 100644 --- a/test/cli/test/depecated_apis/kyverno-test.yaml +++ b/test/cli/test/depecated_apis/kyverno-test.yaml @@ -13,4 +13,4 @@ results: rule: validate-v1-25-removal resource: hello-fail kind: CronJob - status: fail \ No newline at end of file + status: warn \ No newline at end of file diff --git a/test/cli/test/depecated_apis/policy.yaml b/test/cli/test/depecated_apis/policy.yaml index ec03ceafbe..469ccd7d3d 100644 --- a/test/cli/test/depecated_apis/policy.yaml +++ b/test/cli/test/depecated_apis/policy.yaml @@ -3,6 +3,7 @@ kind: ClusterPolicy metadata: name: check-deprecated-api annotations: + policies.kyverno.io/scored: "false" policies.kyverno.io/title: Check deprecated APIs policies.kyverno.io/category: Best Practices policies.kyverno.io/subject: Kubernetes APIs