support failurePolicy in kyverno-policies helm chart (#4323)

* support failurePolicy in kyverno-policies helm chart Signed-off-by: Tom Stewart <thomas.stewart@arcadia.com>
2025-03-28 18:38:40 +00:00 · 2022-08-09 17:12:27 -04:00 · 2022-08-09 17:12:27 -04:00 · ca3d346fcc
commit ca3d346fcc
parent c95bb74992
21 changed files with 33 additions and 8 deletions
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@ -29,3 +29,5 @@ annotations:
      description: Fix Kyverno version check when image tag contains registry port number
    - kind: fixed
      description: Ensure preconditions are present with default values
+    - kind: added
+      description: Support for failurePolicy setting in kyverno-policies helm chart
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@ -68,6 +68,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
 | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
 | validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
+| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
 | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
 | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
 | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@ -23,6 +23,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: adding-capabilities
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@ -24,6 +24,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: host-namespaces
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@ -23,6 +23,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: host-path
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@ -16,13 +16,14 @@ metadata:
    policies.kyverno.io/description: >-
      Access to host ports allows potential snooping of network traffic and should not be
      allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
-      field is unset or set to `0`. 
+      field is unset or set to `0`.
 spec:
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: host-ports-none
      match:
@ -54,4 +55,4 @@ spec:
            containers:
              - =(ports):
                  - =(hostPort): 0
-{{- end }}
+{{- end }}
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@ -24,6 +24,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: host-process-containers
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@ -22,6 +22,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: privileged-containers
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@ -24,6 +24,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: check-proc-mount
      match:
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@ -22,6 +22,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: selinux-type
      match:
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@ -25,6 +25,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: app-armor
      match:
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@ -14,8 +14,8 @@ metadata:
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/description: >-
-      The seccomp profile must not be explicitly set to Unconfined. This policy, 
-      requiring Kubernetes v1.19 or later, ensures that seccomp is unset or 
+      The seccomp profile must not be explicitly set to Unconfined. This policy,
+      requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
      set to `RuntimeDefault` or `Localhost`.
 spec:
  background: {{ .Values.background }}
@ -23,6 +23,7 @@ spec:
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: check-seccomp
      match:
@ -50,7 +51,7 @@ spec:
          spec:
            =(securityContext):
              =(seccompProfile):
-                =(type): "RuntimeDefault | Localhost"      
+                =(type): "RuntimeDefault | Localhost"
            =(ephemeralContainers):
            - =(securityContext):
                =(seccompProfile):
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@ -26,6 +26,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: check-sysctls
      match:
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@ -24,6 +24,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: check-runasgroup
      match:
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@ -24,6 +24,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: require-drop-all
      match:
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@ -22,6 +22,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: privilege-escalation
      match:
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@ -22,6 +22,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: run-as-non-root-user
      match:
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@ -23,6 +23,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: run-as-non-root
      match:
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@ -15,16 +15,17 @@ metadata:
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/description: >-
      The seccomp profile in the Restricted group must not be explicitly set to Unconfined
-      but additionally must also not allow an unset value. This policy, 
-      requiring Kubernetes v1.19 or later, ensures that seccomp is 
+      but additionally must also not allow an unset value. This policy,
+      requiring Kubernetes v1.19 or later, ensures that seccomp is
      set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
 spec:
-  background: {{ .Values.background }}
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
+  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: check-seccomp-strict
      match:
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@ -25,6 +25,7 @@ spec:
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
+  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: restricted-volumes
      match:
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@ -16,6 +16,10 @@ includeOtherPolicies: []
 # For more info https://kyverno.io/docs/writing-policies/validate.
 validationFailureAction: audit

+# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
+# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
+failurePolicy: Fail
+
 # -- Define validationFailureActionOverrides for specific policies.
 # The overrides for `all` will apply to all policies.
 validationFailureActionOverrides: