mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
fix[breaking]: disable exceptions by default (#11426)
* fix[breaking]: disable exceptions by default Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: add warning in helm chart for exceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
4e3f297da2
commit
cbfeb32b1a
13 changed files with 26 additions and 15 deletions
|
@ -347,8 +347,8 @@ The chart values are organised per component.
|
||||||
| features.logging.format | string | `"text"` | Logging format |
|
| features.logging.format | string | `"text"` | Logging format |
|
||||||
| features.logging.verbosity | int | `2` | Logging verbosity |
|
| features.logging.verbosity | int | `2` | Logging verbosity |
|
||||||
| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
|
| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
|
||||||
| features.policyExceptions.enabled | bool | `true` | Enables the feature |
|
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
|
||||||
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
|
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces |
|
||||||
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
|
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
|
||||||
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
|
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
|
||||||
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
|
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
|
||||||
|
|
|
@ -43,4 +43,8 @@ The following components have been installed in your cluster:
|
||||||
⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
|
⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|
||||||
|
{{ if not .Values.features.policyExceptions.enabled }}
|
||||||
|
⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true.
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
|
💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
|
||||||
|
|
|
@ -697,8 +697,9 @@ features:
|
||||||
# - PolicyError
|
# - PolicyError
|
||||||
policyExceptions:
|
policyExceptions:
|
||||||
# -- Enables the feature
|
# -- Enables the feature
|
||||||
enabled: true
|
enabled: false
|
||||||
# -- Restrict policy exceptions to a single namespace
|
# -- Restrict policy exceptions to a single namespace
|
||||||
|
# Set to "*" to allow exceptions in all namespaces
|
||||||
namespace: ''
|
namespace: ''
|
||||||
protectManagedResources:
|
protectManagedResources:
|
||||||
# -- Enables the feature
|
# -- Enables the feature
|
||||||
|
|
|
@ -65,6 +65,10 @@ func NewExceptionSelector(
|
||||||
if !enablePolicyException {
|
if !enablePolicyException {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
if exceptionNamespace == "" {
|
||||||
|
logger.Error(errors.New("the flag --exceptionNamespace cannot be empty"), "the flag --exceptionNamespace cannot be empty")
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
polexCache := exceptioncontroller.NewController(
|
polexCache := exceptioncontroller.NewController(
|
||||||
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
|
||||||
kyvernoInformer.Kyverno().V1().Policies(),
|
kyvernoInformer.Kyverno().V1().Policies(),
|
||||||
|
|
|
@ -103,8 +103,8 @@ func initKubeconfigFlags(qps float64, burst int, eventsQPS float64, eventsBurst
|
||||||
}
|
}
|
||||||
|
|
||||||
func initPolicyExceptionsFlags() {
|
func initPolicyExceptionsFlags() {
|
||||||
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
|
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions. If it is set to '*', exceptions are allowed in all namespaces.")
|
||||||
flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.")
|
flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
|
||||||
}
|
}
|
||||||
|
|
||||||
func initConfigMapCachingFlags() {
|
func initConfigMapCachingFlags() {
|
||||||
|
|
|
@ -51118,7 +51118,7 @@ spec:
|
||||||
- --loggingFormat=text
|
- --loggingFormat=text
|
||||||
- --v=2
|
- --v=2
|
||||||
- --omitEvents=PolicyApplied,PolicySkipped
|
- --omitEvents=PolicyApplied,PolicySkipped
|
||||||
- --enablePolicyException=true
|
- --enablePolicyException=false
|
||||||
- --protectManagedResources=false
|
- --protectManagedResources=false
|
||||||
- --allowInsecureRegistry=false
|
- --allowInsecureRegistry=false
|
||||||
- --registryCredentialHelpers=default,google,amazon,azure,github
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||||
|
@ -51274,7 +51274,7 @@ spec:
|
||||||
- --loggingFormat=text
|
- --loggingFormat=text
|
||||||
- --v=2
|
- --v=2
|
||||||
- --omitEvents=PolicyApplied,PolicySkipped
|
- --omitEvents=PolicyApplied,PolicySkipped
|
||||||
- --enablePolicyException=true
|
- --enablePolicyException=false
|
||||||
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
|
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
|
||||||
|
|
||||||
env:
|
env:
|
||||||
|
@ -51528,7 +51528,7 @@ spec:
|
||||||
- --loggingFormat=text
|
- --loggingFormat=text
|
||||||
- --v=2
|
- --v=2
|
||||||
- --omitEvents=PolicyApplied,PolicySkipped
|
- --omitEvents=PolicyApplied,PolicySkipped
|
||||||
- --enablePolicyException=true
|
- --enablePolicyException=false
|
||||||
- --allowInsecureRegistry=false
|
- --allowInsecureRegistry=false
|
||||||
- --registryCredentialHelpers=default,google,amazon,azure,github
|
- --registryCredentialHelpers=default,google,amazon,azure,github
|
||||||
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
|
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
|
||||||
|
|
|
@ -134,7 +134,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
|
func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
|
||||||
if c.namespace == "" {
|
if c.namespace == "*" {
|
||||||
return c.polexLister.List(labels.Everything())
|
return c.polexLister.List(labels.Everything())
|
||||||
}
|
}
|
||||||
return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything())
|
return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything())
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
const (
|
const (
|
||||||
namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
|
namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
|
||||||
disabledPolex = "PolicyException resources would not be processed until it is enabled."
|
disabledPolex = "PolicyException resources would not be processed until it is enabled."
|
||||||
|
polexNamespaceFlag = "The exceptionNamespace flag is not set"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ValidationOptions struct {
|
type ValidationOptions struct {
|
||||||
|
@ -22,7 +23,9 @@ func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyEx
|
||||||
var warnings []string
|
var warnings []string
|
||||||
if !opts.Enabled {
|
if !opts.Enabled {
|
||||||
warnings = append(warnings, disabledPolex)
|
warnings = append(warnings, disabledPolex)
|
||||||
} else if opts.Namespace != "" && opts.Namespace != polex.Namespace {
|
} else if opts.Namespace == "" {
|
||||||
|
warnings = append(warnings, polexNamespaceFlag)
|
||||||
|
} else if opts.Namespace != "*" && opts.Namespace != polex.Namespace {
|
||||||
warnings = append(warnings, namespacesDontMatch)
|
warnings = append(warnings, namespacesDontMatch)
|
||||||
}
|
}
|
||||||
errs := polex.Validate()
|
errs := polex.Validate()
|
||||||
|
|
|
@ -53,11 +53,11 @@ func Test_Validate(t *testing.T) {
|
||||||
want: 0,
|
want: 0,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "PolicyExceptions enabled. No namespace defined",
|
name: "PolicyExceptions enabled. All namespaces are enabled",
|
||||||
args: args{
|
args: args{
|
||||||
opts: ValidationOptions{
|
opts: ValidationOptions{
|
||||||
Enabled: true,
|
Enabled: true,
|
||||||
Namespace: "",
|
Namespace: "*",
|
||||||
},
|
},
|
||||||
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
|
||||||
},
|
},
|
||||||
|
|
|
@ -4,6 +4,7 @@ grafana:
|
||||||
features:
|
features:
|
||||||
policyExceptions:
|
policyExceptions:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
namespace: "*"
|
||||||
|
|
||||||
admissionController:
|
admissionController:
|
||||||
serviceMonitor:
|
serviceMonitor:
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
features:
|
|
||||||
policyExceptions:
|
|
||||||
enabled: false
|
|
|
@ -1,6 +1,7 @@
|
||||||
features:
|
features:
|
||||||
policyExceptions:
|
policyExceptions:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
namespace: "*"
|
||||||
omitEvents:
|
omitEvents:
|
||||||
eventTypes: []
|
eventTypes: []
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue