diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index ffb86afe63..981c231b53 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -132,6 +132,15 @@ func (s *Spec) BackgroundProcessingEnabled() bool { return *s.Background } +// GetValidationFailureAction returns the validation failure action to be applied +func (s *Spec) GetValidationFailureAction() ValidationFailureAction { + if s.ValidationFailureAction == "" { + return Audit + } + + return s.ValidationFailureAction +} + // ValidateRuleNames checks if the rule names are unique across a policy func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) { names := sets.NewString() diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index a6588014c1..6c58f9cae3 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -72,7 +72,7 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace() resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind() resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion() - resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().ValidationFailureAction + resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().GetValidationFailureAction() for _, v := range ctx.Policy.GetSpec().ValidationFailureActionOverrides { resp.PolicyResponse.ValidationFailureActionOverrides = append(resp.PolicyResponse.ValidationFailureActionOverrides, response.ValidationFailureActionOverride{Action: v.Action, Namespaces: v.Namespaces}) diff --git a/pkg/metrics/policychanges/policyChanges.go b/pkg/metrics/policychanges/policyChanges.go index 8bc3516499..e278e4337b 100644 --- a/pkg/metrics/policychanges/policyChanges.go +++ b/pkg/metrics/policychanges/policyChanges.go @@ -42,7 +42,7 @@ func (pc PromConfig) registerPolicyChangesMetric( func (pc PromConfig) RegisterPolicy(policy interface{}, policyChangeType PolicyChangeType) error { switch inputPolicy := policy.(type) { case *kyverno.ClusterPolicy: - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } @@ -55,7 +55,7 @@ func (pc PromConfig) RegisterPolicy(policy interface{}, policyChangeType PolicyC } return nil case *kyverno.Policy: - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } diff --git a/pkg/metrics/policyexecutionduration/policyExecutionDuration.go b/pkg/metrics/policyexecutionduration/policyExecutionDuration.go index ef6b612207..739a970386 100644 --- a/pkg/metrics/policyexecutionduration/policyExecutionDuration.go +++ b/pkg/metrics/policyexecutionduration/policyExecutionDuration.go @@ -61,7 +61,7 @@ func (pc PromConfig) registerPolicyExecutionDurationMetric( //engineResponse - resource and rule related data func (pc PromConfig) ProcessEngineResponse(policy kyverno.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, generateRuleLatencyType string, resourceRequestOperation metrics.ResourceRequestOperation) error { - policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) if err != nil { return err } diff --git a/pkg/metrics/policyresults/policyResults.go b/pkg/metrics/policyresults/policyResults.go index 71b07e4bf9..d5796d1993 100644 --- a/pkg/metrics/policyresults/policyResults.go +++ b/pkg/metrics/policyresults/policyResults.go @@ -54,7 +54,7 @@ func (pc PromConfig) registerPolicyResultsMetric( //policy - policy related data //engineResponse - resource and rule related data func (pc PromConfig) ProcessEngineResponse(policy kyverno.PolicyInterface, engineResponse response.EngineResponse, executionCause metrics.RuleExecutionCause, resourceRequestOperation metrics.ResourceRequestOperation) error { - policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) if err != nil { return err } diff --git a/pkg/metrics/policyruleinfo/policyRuleInfo.go b/pkg/metrics/policyruleinfo/policyRuleInfo.go index c2bb885c2e..2fe70d20ca 100644 --- a/pkg/metrics/policyruleinfo/policyRuleInfo.go +++ b/pkg/metrics/policyruleinfo/policyRuleInfo.go @@ -65,7 +65,7 @@ func (pc PromConfig) registerPolicyRuleInfoMetric( func (pc PromConfig) AddPolicy(policy interface{}) error { switch inputPolicy := policy.(type) { case *kyverno.ClusterPolicy: - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } @@ -85,7 +85,7 @@ func (pc PromConfig) AddPolicy(policy interface{}) error { } return nil case *kyverno.Policy: - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } @@ -113,7 +113,7 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error { switch inputPolicy := policy.(type) { case *kyverno.ClusterPolicy: for _, rule := range autogen.ComputeRules(inputPolicy) { - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } @@ -132,7 +132,7 @@ func (pc PromConfig) RemovePolicy(policy interface{}) error { return nil case *kyverno.Policy: for _, rule := range autogen.ComputeRules(inputPolicy) { - policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.ValidationFailureAction) + policyValidationMode, err := metrics.ParsePolicyValidationMode(inputPolicy.Spec.GetValidationFailureAction()) if err != nil { return err } diff --git a/pkg/policy/metrics.go b/pkg/policy/metrics.go index ec8939b4e3..3730b76736 100644 --- a/pkg/policy/metrics.go +++ b/pkg/policy/metrics.go @@ -54,7 +54,7 @@ func (pc *PolicyController) registerPolicyChangesMetricUpdatePolicy(logger logr. logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) } // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curSpec.Background != oldSpec.Background || curSpec.ValidationFailureAction != oldSpec.ValidationFailureAction { + if curSpec.Background != oldSpec.Background || curSpec.GetValidationFailureAction() != oldSpec.GetValidationFailureAction() { err = policyChangesMetric.ParsePromConfig(*pc.promConfig).RegisterPolicy(curP, policyChangesMetric.PolicyUpdated) if err != nil { logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) diff --git a/pkg/policycache/policy_map.go b/pkg/policycache/policy_map.go index 910c9b92bc..e18390d8d0 100644 --- a/pkg/policycache/policy_map.go +++ b/pkg/policycache/policy_map.go @@ -29,7 +29,7 @@ func (m *pMap) add(policy kyverno.PolicyInterface) { defer m.lock.Unlock() spec := policy.GetSpec() - enforcePolicy := spec.ValidationFailureAction == kyverno.Enforce + enforcePolicy := spec.GetValidationFailureAction() == kyverno.Enforce for _, k := range spec.ValidationFailureActionOverrides { if k.Action == kyverno.Enforce { enforcePolicy = true