[Feature] create command line option to set failurePolicy globally (#4991)

* add forceFailurePolicyIgnore flag

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* cleanup code

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* add logging

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* resolve merge conflicts

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* fix codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

api/kyverno/v1/spec_types.go

@@ -3,6 +3,7 @@ package v1
 import (
 	"fmt"
 
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -39,6 +40,7 @@ type Spec struct {
 
 	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
 	// Rules within the same policy share the same failure behavior.
+	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
 	// Allowed values are Ignore or Fail. Defaults to Fail.
 	// +optional
 	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
@@ -197,7 +199,9 @@ func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool {
 
 // GetFailurePolicy returns the failure policy to be applied
 func (s *Spec) GetFailurePolicy() FailurePolicyType {
-	if s.FailurePolicy == nil {
+	if toggle.ForceFailurePolicyIgnore.Enabled() {
+		return Ignore
+	} else if s.FailurePolicy == nil {
 		return Fail
 	}
 	return *s.FailurePolicy

charts/kyverno/templates/crds.yaml

@@ -1038,7 +1038,7 @@ spec:
                 description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
+                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -8619,7 +8619,7 @@ spec:
                 description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
+                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail

cmd/kyverno/main.go

@@ -127,6 +127,7 @@ func parseFlags() error {
 	flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
 	flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
 	flag.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
+	flag.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
 	flag.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
 	flag.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
 	flag.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
@@ -296,6 +297,10 @@ func showWarnings(logger logr.Logger) {
 	if splitPolicyReport {
 		logger.Info("The splitPolicyReport flag is deprecated and will be removed in v1.9. It has no effect and should be removed.")
 	}
+	// log if `forceFailurePolicyIgnore` flag has been set or not
+	if toggle.ForceFailurePolicyIgnore.Enabled() {
+		logger.Info("'ForceFailurePolicyIgnore' is enabled, all policies with policy failures will be set to Ignore")
+	}
 }
 
 func showVersion(logger logr.Logger) {

config/crds/kyverno.io_clusterpolicies.yaml

@@ -73,8 +73,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail

config/crds/kyverno.io_policies.yaml

@@ -74,8 +74,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail

config/install.yaml

@@ -1383,8 +1383,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -13394,8 +13395,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail

config/install_debug.yaml

@@ -1377,8 +1377,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -13385,8 +13386,9 @@ spec:
               failurePolicy:
                 description: FailurePolicy defines how unexpected policy errors and
                   webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
+                  policy share the same failure behavior. This field should not be
+                  accessed directly, instead `GetFailurePolicy()` should be used.
+                  Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail

docs/user/crd/index.html

@@ -146,6 +146,7 @@ FailurePolicyType
 <em>(Optional)</em>
 <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
 Rules within the same policy share the same failure behavior.
+This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
 Allowed values are Ignore or Fail. Defaults to Fail.</p>
 </td>
 </tr>
@@ -486,6 +487,7 @@ FailurePolicyType
 <em>(Optional)</em>
 <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
 Rules within the same policy share the same failure behavior.
+This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
 Allowed values are Ignore or Fail. Defaults to Fail.</p>
 </td>
 </tr>
@@ -3336,6 +3338,7 @@ FailurePolicyType
 <em>(Optional)</em>
 <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
 Rules within the same policy share the same failure behavior.
+This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
 Allowed values are Ignore or Fail. Defaults to Fail.</p>
 </td>
 </tr>

pkg/toggle/toggle.go

@@ -16,11 +16,17 @@ const (
 	ProtectManagedResourcesDescription = "Set the flag to 'true', to enable managed resources protection."
 	protectManagedResourcesEnvVar      = "FLAG_PROTECT_MANAGED_RESOURCES"
 	defaultProtectManagedResources     = false
+	// force failure policy ignore
+	ForceFailurePolicyIgnoreFlagName    = "forceFailurePolicyIgnore"
+	ForceFailurePolicyIgnoreDescription = "Set the flag to 'true', to force set Failure Policy to 'ignore'."
+	forceFailurePolicyIgnoreEnvVar      = "FLAG_FORCE_FAILURE_POLICY_IGNORE"
+	defaultForceFailurePolicyIgnore     = false
 )
 
 var (
-	AutogenInternals        = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
-	ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
+	AutogenInternals         = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
+	ProtectManagedResources  = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
+	ForceFailurePolicyIgnore = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar)
 )
 
 type Toggle interface {