mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-15 17:51:20 +00:00
Code Activity

[Feature] create command line option to set failurePolicy globally (#4991)

Browse source 
* add forceFailurePolicyIgnore flag

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* cleanup code

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* add logging

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* resolve merge conflicts

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>

* fix codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Anant Vijay <anantvijay3@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
XDRAGON2002 2022-10-21 23:43:36 +05:30 committed by GitHub
parent 4a41ba910b
commit a3c129f469
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 41 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/spec_types.go
View file

@ -3,6 +3,7 @@ package v1
import ( import (
"fmt" "fmt"
"github.com/kyverno/kyverno/pkg/toggle"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field" "k8s.io/apimachinery/pkg/util/validation/field"
) )
@ -39,6 +40,7 @@ type Spec struct {
// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. // FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
// Rules within the same policy share the same failure behavior. // Rules within the same policy share the same failure behavior.
// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
// Allowed values are Ignore or Fail. Defaults to Fail. // Allowed values are Ignore or Fail. Defaults to Fail.
// +optional // +optional
FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"` FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
@ -197,7 +199,9 @@ func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool {
// GetFailurePolicy returns the failure policy to be applied // GetFailurePolicy returns the failure policy to be applied
func (s *Spec) GetFailurePolicy() FailurePolicyType { func (s *Spec) GetFailurePolicy() FailurePolicyType {
if s.FailurePolicy == nil { if toggle.ForceFailurePolicyIgnore.Enabled() {
return Ignore
} else if s.FailurePolicy == nil {
return Fail return Fail
} }
return *s.FailurePolicy return *s.FailurePolicy

4
charts/kyverno/templates/crds.yaml
View file

@ -1038,7 +1038,7 @@ spec:
description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
type: boolean type: boolean
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail
@ -8619,7 +8619,7 @@ spec:
description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
type: boolean type: boolean
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail. description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail

5
cmd/kyverno/main.go
View file

@ -127,6 +127,7 @@ func parseFlags() error {
flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.") flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse) flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
flag.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.") flag.BoolVar(&backgroundScan, "backgroundScan", true, "Enable or disable backgound scan.")
flag.Func(toggle.ForceFailurePolicyIgnoreFlagName, toggle.ForceFailurePolicyIgnoreDescription, toggle.ForceFailurePolicyIgnore.Parse)
flag.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.") flag.BoolVar(&admissionReports, "admissionReports", true, "Enable or disable admission reports.")
flag.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.") flag.IntVar(&reportsChunkSize, "reportsChunkSize", 1000, "Max number of results in generated reports, reports will be split accordingly if there are more results to be stored.")
flag.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.") flag.IntVar(&backgroundScanWorkers, "backgroundScanWorkers", backgroundscancontroller.Workers, "Configure the number of background scan workers.")
@ -296,6 +297,10 @@ func showWarnings(logger logr.Logger) {
if splitPolicyReport { if splitPolicyReport {
logger.Info("The splitPolicyReport flag is deprecated and will be removed in v1.9. It has no effect and should be removed.") logger.Info("The splitPolicyReport flag is deprecated and will be removed in v1.9. It has no effect and should be removed.")
} }
// log if `forceFailurePolicyIgnore` flag has been set or not
if toggle.ForceFailurePolicyIgnore.Enabled() {
logger.Info("'ForceFailurePolicyIgnore' is enabled, all policies with policy failures will be set to Ignore")
}
} }
func showVersion(logger logr.Logger) { func showVersion(logger logr.Logger) {

5
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -73,8 +73,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail

5
config/crds/kyverno.io_policies.yaml
View file

@ -74,8 +74,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail

10
config/install.yaml
View file

@ -1383,8 +1383,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail
@ -13394,8 +13395,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail

10
config/install_debug.yaml
View file

@ -1377,8 +1377,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail
@ -13385,8 +13386,9 @@ spec:
failurePolicy: failurePolicy:
description: FailurePolicy defines how unexpected policy errors and description: FailurePolicy defines how unexpected policy errors and
webhook response timeout errors are handled. Rules within the same webhook response timeout errors are handled. Rules within the same
policy share the same failure behavior. Allowed values are Ignore policy share the same failure behavior. This field should not be
or Fail. Defaults to Fail. accessed directly, instead `GetFailurePolicy()` should be used.
Allowed values are Ignore or Fail. Defaults to Fail.
enum: enum:
- Ignore - Ignore
- Fail - Fail

3
docs/user/crd/index.html
View file

@ -146,6 +146,7 @@ FailurePolicyType
<em>(Optional)</em> <em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior. Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p> Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td> </td>
</tr> </tr>
@ -486,6 +487,7 @@ FailurePolicyType
<em>(Optional)</em> <em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior. Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p> Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td> </td>
</tr> </tr>
@ -3336,6 +3338,7 @@ FailurePolicyType
<em>(Optional)</em> <em>(Optional)</em>
<p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. <p>FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
Rules within the same policy share the same failure behavior. Rules within the same policy share the same failure behavior.
This field should not be accessed directly, instead <code>GetFailurePolicy()</code> should be used.
Allowed values are Ignore or Fail. Defaults to Fail.</p> Allowed values are Ignore or Fail. Defaults to Fail.</p>
</td> </td>
</tr> </tr>

10
pkg/toggle/toggle.go
View file

@ -16,11 +16,17 @@ const (
ProtectManagedResourcesDescription = "Set the flag to 'true', to enable managed resources protection." ProtectManagedResourcesDescription = "Set the flag to 'true', to enable managed resources protection."
protectManagedResourcesEnvVar = "FLAG_PROTECT_MANAGED_RESOURCES" protectManagedResourcesEnvVar = "FLAG_PROTECT_MANAGED_RESOURCES"
defaultProtectManagedResources = false defaultProtectManagedResources = false
// force failure policy ignore
ForceFailurePolicyIgnoreFlagName = "forceFailurePolicyIgnore"
ForceFailurePolicyIgnoreDescription = "Set the flag to 'true', to force set Failure Policy to 'ignore'."
forceFailurePolicyIgnoreEnvVar = "FLAG_FORCE_FAILURE_POLICY_IGNORE"
defaultForceFailurePolicyIgnore = false
) )
var ( var (
AutogenInternals = newToggle(defaultAutogenInternals, autogenInternalsEnvVar) AutogenInternals = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar) ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
ForceFailurePolicyIgnore = newToggle(defaultForceFailurePolicyIgnore, forceFailurePolicyIgnoreEnvVar)
) )
type Toggle interface { type Toggle interface {