1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

fix[breaking]: disable exceptions by default (#11426)

* fix[breaking]: disable exceptions by default

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix chainsaw tests

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* fix: add warning in helm chart for exceptions

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-10-22 09:07:11 +03:00 committed by GitHub
parent 4e3f297da2
commit cbfeb32b1a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 26 additions and 15 deletions

View file

@ -347,8 +347,8 @@ The chart values are organised per component.
| features.logging.format | string | `"text"` | Logging format |
| features.logging.verbosity | int | `2` | Logging verbosity |
| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
| features.policyExceptions.enabled | bool | `true` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
| features.policyExceptions.enabled | bool | `false` | Enables the feature |
| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces |
| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |

View file

@ -43,4 +43,8 @@ The following components have been installed in your cluster:
⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
{{- end }}
{{ if not .Values.features.policyExceptions.enabled }}
⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true.
{{- end }}
💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.

View file

@ -697,8 +697,9 @@ features:
# - PolicyError
policyExceptions:
# -- Enables the feature
enabled: true
enabled: false
# -- Restrict policy exceptions to a single namespace
# Set to "*" to allow exceptions in all namespaces
namespace: ''
protectManagedResources:
# -- Enables the feature

View file

@ -65,6 +65,10 @@ func NewExceptionSelector(
if !enablePolicyException {
return nil, nil
}
if exceptionNamespace == "" {
logger.Error(errors.New("the flag --exceptionNamespace cannot be empty"), "the flag --exceptionNamespace cannot be empty")
return nil, nil
}
polexCache := exceptioncontroller.NewController(
kyvernoInformer.Kyverno().V1().ClusterPolicies(),
kyvernoInformer.Kyverno().V1().Policies(),

View file

@ -103,8 +103,8 @@ func initKubeconfigFlags(qps float64, burst int, eventsQPS float64, eventsBurst
}
func initPolicyExceptionsFlags() {
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.")
flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.")
flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions. If it is set to '*', exceptions are allowed in all namespaces.")
flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.")
}
func initConfigMapCachingFlags() {

View file

@ -51118,7 +51118,7 @@ spec:
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true
- --enablePolicyException=false
- --protectManagedResources=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
@ -51274,7 +51274,7 @@ spec:
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true
- --enablePolicyException=false
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate
env:
@ -51528,7 +51528,7 @@ spec:
- --loggingFormat=text
- --v=2
- --omitEvents=PolicyApplied,PolicySkipped
- --enablePolicyException=true
- --enablePolicyException=false
- --allowInsecureRegistry=false
- --registryCredentialHelpers=default,google,amazon,azure,github
- --enableReporting=validate,mutate,mutateExisting,imageVerify,generate

View file

@ -134,7 +134,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac
}
func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) {
if c.namespace == "" {
if c.namespace == "*" {
return c.polexLister.List(labels.Everything())
}
return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything())

View file

@ -10,6 +10,7 @@ import (
const (
namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
disabledPolex = "PolicyException resources would not be processed until it is enabled."
polexNamespaceFlag = "The exceptionNamespace flag is not set"
)
type ValidationOptions struct {
@ -22,7 +23,9 @@ func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyEx
var warnings []string
if !opts.Enabled {
warnings = append(warnings, disabledPolex)
} else if opts.Namespace != "" && opts.Namespace != polex.Namespace {
} else if opts.Namespace == "" {
warnings = append(warnings, polexNamespaceFlag)
} else if opts.Namespace != "*" && opts.Namespace != polex.Namespace {
warnings = append(warnings, namespacesDontMatch)
}
errs := polex.Validate()

View file

@ -53,11 +53,11 @@ func Test_Validate(t *testing.T) {
want: 0,
},
{
name: "PolicyExceptions enabled. No namespace defined",
name: "PolicyExceptions enabled. All namespaces are enabled",
args: args{
opts: ValidationOptions{
Enabled: true,
Namespace: "",
Namespace: "*",
},
resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
},

View file

@ -4,6 +4,7 @@ grafana:
features:
policyExceptions:
enabled: true
namespace: "*"
admissionController:
serviceMonitor:

View file

@ -1,3 +0,0 @@
features:
policyExceptions:
enabled: false

View file

@ -1,6 +1,7 @@
features:
policyExceptions:
enabled: true
namespace: "*"
omitEvents:
eventTypes: []