fix[breaking]: disable exceptions by default (#11426)

* fix[breaking]: disable exceptions by default

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: add warning in helm chart for exceptions

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

charts/kyverno/README.md

@@ -347,8 +347,8 @@ The chart values are organised per component.
 | features.logging.format | string | `"text"` | Logging format |
 | features.logging.verbosity | int | `2` | Logging verbosity |
 | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
-| features.policyExceptions.enabled | bool | `true` | Enables the feature |
+| features.policyExceptions.enabled | bool | `false` | Enables the feature |
-| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
+| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces |
 | features.protectManagedResources.enabled | bool | `false` | Enables the feature |
 | features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
 | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |

charts/kyverno/templates/NOTES.txt

@@ -43,4 +43,8 @@ The following components have been installed in your cluster:
 ⚠️  WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
 {{- end }}
 
+{{ if not .Values.features.policyExceptions.enabled }}
+⚠️  WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true.
+{{- end }}
+
 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.

charts/kyverno/values.yaml

@@ -697,8 +697,9 @@ features:
       # - PolicyError
   policyExceptions:
     # -- Enables the feature
-    enabled: true
+    enabled: false
     # -- Restrict policy exceptions to a single namespace
+    # Set to "*" to allow exceptions in all namespaces
     namespace: ''
   protectManagedResources:
     # -- Enables the feature

cmd/internal/engine.go

@@ -65,6 +65,10 @@ func NewExceptionSelector(
 	if !enablePolicyException {
 		return nil, nil
 	}
+	if exceptionNamespace == "" {
+		logger.Error(errors.New("the flag --exceptionNamespace cannot be empty"), "the flag --exceptionNamespace cannot be empty")
+		return nil, nil
+	}
 	polexCache := exceptioncontroller.NewController(
 		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
 		kyvernoInformer.Kyverno().V1().Policies(),

cmd/internal/flag.go

@@ -103,8 +103,8 @@ func initKubeconfigFlags(qps float64, burst int, eventsQPS float64, eventsBurst
 }
 
 func initPolicyExceptionsFlags() {
-	flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
+	flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions. If it is set to '*', exceptions are allowed in all namespaces.")
-	flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.")
+	flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
 }
 
 func initConfigMapCachingFlags() {

config/install-latest-testing.yaml

@@ -51118,7 +51118,7 @@ spec:
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped
-            - --enablePolicyException=true
+            - --enablePolicyException=false
             - --protectManagedResources=false
             - --allowInsecureRegistry=false
             - --registryCredentialHelpers=default,google,amazon,azure,github
@@ -51274,7 +51274,7 @@ spec:
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped
-            - --enablePolicyException=true
+            - --enablePolicyException=false
             - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
             
           env:
@@ -51528,7 +51528,7 @@ spec:
             - --loggingFormat=text
             - --v=2
             - --omitEvents=PolicyApplied,PolicySkipped
-            - --enablePolicyException=true
+            - --enablePolicyException=false
             - --allowInsecureRegistry=false
             - --registryCredentialHelpers=default,google,amazon,azure,github
             - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate

pkg/controllers/exceptions/controller.go

@@ -134,7 +134,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
 }
 
 func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
-	if c.namespace == "" {
+	if c.namespace == "*" {
 		return c.polexLister.List(labels.Everything())
 	}
 	return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything())

pkg/validation/exception/validate.go

@@ -10,6 +10,7 @@ import (
 const (
 	namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
 	disabledPolex       = "PolicyException resources would not be processed until it is enabled."
+	polexNamespaceFlag  = "The exceptionNamespace flag is not set"
 )
 
 type ValidationOptions struct {
@@ -22,7 +23,9 @@ func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyEx
 	var warnings []string
 	if !opts.Enabled {
 		warnings = append(warnings, disabledPolex)
-	} else if opts.Namespace != "" && opts.Namespace != polex.Namespace {
+	} else if opts.Namespace == "" {
+		warnings = append(warnings, polexNamespaceFlag)
+	} else if opts.Namespace != "*" && opts.Namespace != polex.Namespace {
 		warnings = append(warnings, namespacesDontMatch)
 	}
 	errs := polex.Validate()

pkg/validation/exception/validate_test.go

@@ -53,11 +53,11 @@ func Test_Validate(t *testing.T) {
 			want: 0,
 		},
 		{
-			name: "PolicyExceptions enabled. No namespace defined",
+			name: "PolicyExceptions enabled. All namespaces are enabled",
 			args: args{
 				opts: ValidationOptions{
 					Enabled:   true,
-					Namespace: "",
+					Namespace: "*",
 				},
 				resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
 			},

scripts/config/dev/kyverno.yaml

@@ -4,6 +4,7 @@ grafana:
 features:
   policyExceptions:
     enabled: true
+    namespace: "*"
 
 admissionController:
   serviceMonitor:

scripts/config/exceptions-disabled/kyverno.yaml

@@ -1,3 +0,0 @@
-features:
-  policyExceptions:
-    enabled: false

scripts/config/standard/kyverno.yaml

@@ -1,6 +1,7 @@
 features:
   policyExceptions:
     enabled: true
+    namespace: "*"
   omitEvents:
     eventTypes: []