1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00

fix[breaking]: disable exceptions by default (#11426)

* fix[breaking]: disable exceptions by default

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: add warning in helm chart for exceptions

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-10-22 09:07:11 +03:00 committed by GitHub
parent 4e3f297da2
commit cbfeb32b1a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 26 additions and 15 deletions

View file

@ -347,8 +347,8 @@ The chart values are organised per component.
| features.logging.format | string | `"text"` | Logging format | | features.logging.format | string | `"text"` | Logging format |
| features.logging.verbosity | int | `2` | Logging verbosity | | features.logging.verbosity | int | `2` | Logging verbosity |
| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
| features.policyExceptions.enabled | bool | `true` | Enables the feature | | features.policyExceptions.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace | | features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces |
| features.protectManagedResources.enabled | bool | `false` | Enables the feature | | features.protectManagedResources.enabled | bool | `false` | Enables the feature |
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry | | features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers | | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |

View file

@ -43,4 +43,8 @@ The following components have been installed in your cluster:
⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. ⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
{{- end }} {{- end }}
{{ if not .Values.features.policyExceptions.enabled }}
⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true.
{{- end }}
💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks. 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.

View file

@ -697,8 +697,9 @@ features:
# - PolicyError # - PolicyError
policyExceptions: policyExceptions:
# -- Enables the feature # -- Enables the feature
enabled: true enabled: false
# -- Restrict policy exceptions to a single namespace # -- Restrict policy exceptions to a single namespace
# Set to "*" to allow exceptions in all namespaces
namespace: '' namespace: ''
protectManagedResources: protectManagedResources:
# -- Enables the feature # -- Enables the feature

View file

@ -65,6 +65,10 @@ func NewExceptionSelector(
if !enablePolicyException { if !enablePolicyException {
return nil, nil return nil, nil
} }
if exceptionNamespace == "" {
logger.Error(errors.New("the flag --exceptionNamespace cannot be empty"), "the flag --exceptionNamespace cannot be empty")
return nil, nil
}
polexCache := exceptioncontroller.NewController( polexCache := exceptioncontroller.NewController(
kyvernoInformer.Kyverno().V1().ClusterPolicies(), kyvernoInformer.Kyverno().V1().ClusterPolicies(),
kyvernoInformer.Kyverno().V1().Policies(), kyvernoInformer.Kyverno().V1().Policies(),

View file

@ -103,8 +103,8 @@ func initKubeconfigFlags(qps float64, burst int, eventsQPS float64, eventsBurst
} }
func initPolicyExceptionsFlags() { func initPolicyExceptionsFlags() {
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.") flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions. If it is set to '*', exceptions are allowed in all namespaces.")
flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.") flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
} }
func initConfigMapCachingFlags() { func initConfigMapCachingFlags() {

View file

@ -51118,7 +51118,7 @@ spec:
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true - --enablePolicyException=false
- --protectManagedResources=false - --protectManagedResources=false
- --allowInsecureRegistry=false - --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github - --registryCredentialHelpers=default,google,amazon,azure,github
@ -51274,7 +51274,7 @@ spec:
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true - --enablePolicyException=false
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env: env:
@ -51528,7 +51528,7 @@ spec:
- --loggingFormat=text - --loggingFormat=text
- --v=2 - --v=2
- --omitEvents=PolicyApplied,PolicySkipped - --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true - --enablePolicyException=false
- --allowInsecureRegistry=false - --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github - --registryCredentialHelpers=default,google,amazon,azure,github
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate

View file

@ -134,7 +134,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
} }
func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) { func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
if c.namespace == "" { if c.namespace == "*" {
return c.polexLister.List(labels.Everything()) return c.polexLister.List(labels.Everything())
} }
return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything()) return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything())

View file

@ -10,6 +10,7 @@ import (
const ( const (
namespacesDontMatch = "PolicyException resource namespace must match the defined namespace." namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
disabledPolex = "PolicyException resources would not be processed until it is enabled." disabledPolex = "PolicyException resources would not be processed until it is enabled."
polexNamespaceFlag = "The exceptionNamespace flag is not set"
) )
type ValidationOptions struct { type ValidationOptions struct {
@ -22,7 +23,9 @@ func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyEx
var warnings []string var warnings []string
if !opts.Enabled { if !opts.Enabled {
warnings = append(warnings, disabledPolex) warnings = append(warnings, disabledPolex)
} else if opts.Namespace != "" && opts.Namespace != polex.Namespace { } else if opts.Namespace == "" {
warnings = append(warnings, polexNamespaceFlag)
} else if opts.Namespace != "*" && opts.Namespace != polex.Namespace {
warnings = append(warnings, namespacesDontMatch) warnings = append(warnings, namespacesDontMatch)
} }
errs := polex.Validate() errs := polex.Validate()

View file

@ -53,11 +53,11 @@ func Test_Validate(t *testing.T) {
want: 0, want: 0,
}, },
{ {
name: "PolicyExceptions enabled. No namespace defined", name: "PolicyExceptions enabled. All namespaces are enabled",
args: args{ args: args{
opts: ValidationOptions{ opts: ValidationOptions{
Enabled: true, Enabled: true,
Namespace: "", Namespace: "*",
}, },
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
}, },

View file

@ -4,6 +4,7 @@ grafana:
features: features:
policyExceptions: policyExceptions:
enabled: true enabled: true
namespace: "*"
admissionController: admissionController:
serviceMonitor: serviceMonitor:

View file

@ -1,3 +0,0 @@
features:
policyExceptions:
enabled: false

View file

@ -1,6 +1,7 @@
features: features:
policyExceptions: policyExceptions:
enabled: true enabled: true
namespace: "*"
omitEvents: omitEvents:
eventTypes: [] eventTypes: []