mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

refactor: support Audit and Enforce validation failure actions (#5152)

Browse source 
* feat: remove policy mutation code

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* refactor: support Audit and Enforce failure actions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* typo

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* update changelog

Signed-off-by: ShutingZhao <shuting@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-11-01 09:56:52 +00:00 committed by GitHub
parent 9e89aa341b
commit d2658a1bc8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 125 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -3,6 +3,7 @@
### Note
- Flag `autogenInternals` was removed, policy mutation has been removed.
- Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`.
## v1.8.1-rc3

28
api/kyverno/v1/spec_types.go
View file

@ -13,12 +13,21 @@ type ValidationFailureAction string
// Policy Reporting Modes
const (
// Enforce blocks the request on failure
Enforce ValidationFailureAction = "enforce"
// Audit indicates not to block the request on failure, but report failures as policy violations
Audit ValidationFailureAction = "audit"
// enforceOld blocks the request on failure
// DEPRECATED: use enforce instead
enforceOld ValidationFailureAction = "enforce"
// enforce blocks the request on failure
enforce ValidationFailureAction = "Enforce"
)
func (a ValidationFailureAction) Enforce() bool {
return a == enforce || a == enforceOld
}
func (a ValidationFailureAction) Audit() bool {
return !a.Enforce()
}
type ValidationFailureActionOverride struct {
// +kubebuilder:validation:Enum=audit;enforce
Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
@ -50,7 +59,7 @@ type Spec struct {
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce. The default value is "audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=audit
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
@ -207,15 +216,6 @@ func (s *Spec) GetFailurePolicy() FailurePolicyType {
return *s.FailurePolicy
}
// GetValidationFailureAction returns the validation failure action to be applied
func (s *Spec) GetValidationFailureAction() ValidationFailureAction {
if s.ValidationFailureAction == "" {
return Audit
}
return s.ValidationFailureAction
}
// GetFailurePolicy returns the failure policy to be applied
func (s *Spec) GetApplyRules() ApplyRulesType {
if s.ApplyRules == nil {

11
api/kyverno/v2beta1/spec_types.go
View file

@ -32,7 +32,7 @@ type Spec struct {
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce. The default value is "audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce
// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
// +kubebuilder:default=audit
ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
@ -187,15 +187,6 @@ func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType {
return *s.FailurePolicy
}
// GetValidationFailureAction returns the validation failure action to be applied
func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
if s.ValidationFailureAction == "" {
return kyvernov1.Audit
}
return s.ValidationFailureAction
}
// GetFailurePolicy returns the failure policy to be applied
func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType {
if s.ApplyRules == nil {

8
charts/kyverno/templates/crds.yaml
View file

@ -2832,6 +2832,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -6352,6 +6354,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -10496,6 +10500,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
@ -14016,6 +14022,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

4
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2892,6 +2892,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -8511,6 +8513,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy

4
config/crds/kyverno.io_policies.yaml
View file

@ -2893,6 +2893,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -8514,6 +8516,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy

8
config/install.yaml
View file

@ -4214,6 +4214,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -9833,6 +9835,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -16309,6 +16313,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -21930,6 +21936,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy

8
config/install_debug.yaml
View file

@ -4208,6 +4208,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -9827,6 +9829,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -16300,6 +16304,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy
@ -21921,6 +21927,8 @@ spec:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
description: ValidationFailureActionOverrides is a Cluster Policy

2
pkg/controllers/metrics/policy/metrics.go
View file

@ -54,7 +54,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(logger logr.Logger
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName())
}
// curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields:
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction() != oldSpec.GetValidationFailureAction() {
if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() {
err = policyChangesMetric.RegisterPolicy(pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated)
if err != nil {
logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName())

2
pkg/engine/imageVerifyValidate.go
View file

@ -35,7 +35,7 @@ func processImageValidationRule(log logr.Logger, ctx *PolicyContext, rule *kyver
}
if !preconditionsPassed {
if ctx.Policy.GetSpec().ValidationFailureAction == kyvernov1.Audit {
if ctx.Policy.GetSpec().ValidationFailureAction.Audit() {
return nil
}

3
pkg/engine/response/response.go
View file

@ -228,9 +228,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string {
func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction {
for _, v := range er.PolicyResponse.ValidationFailureActionOverrides {
if v.Action != kyvernov1.Enforce && v.Action != kyvernov1.Audit {
continue
}
for _, ns := range v.Namespaces {
if wildcard.Match(ns, er.PatchedResource.GetNamespace()) {
return v.Action

2
pkg/engine/validation.go
View file

@ -78,7 +78,7 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime
resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace()
resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind()
resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion()
resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().GetValidationFailureAction()
resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().ValidationFailureAction
for _, v := range ctx.Policy.GetSpec().ValidationFailureActionOverrides {
resp.PolicyResponse.ValidationFailureActionOverrides = append(resp.PolicyResponse.ValidationFailureActionOverrides, response.ValidationFailureActionOverride{Action: v.Action, Namespaces: v.Namespaces})

10
pkg/metrics/parsers.go
View file

@ -9,14 +9,10 @@ import (
)
func ParsePolicyValidationMode(validationFailureAction kyvernov1.ValidationFailureAction) (PolicyValidationMode, error) {
switch validationFailureAction {
case kyvernov1.Enforce:
if validationFailureAction.Enforce() {
return Enforce, nil
case kyvernov1.Audit:
return Audit, nil
default:
return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit")
}
return Audit, nil
}
func ParsePolicyBackgroundMode(policy kyvernov1.PolicyInterface) PolicyBackgroundMode {
@ -76,6 +72,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp
policyType = Namespaced
}
backgroundMode := ParsePolicyBackgroundMode(policy)
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction())
validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction)
return name, namespace, policyType, backgroundMode, validationMode, err
}

25
pkg/policy/validate.go
View file

@ -1142,32 +1142,31 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string)
func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error {
action := map[string]sets.String{
string(kyvernov1.Enforce): sets.NewString(),
string(kyvernov1.Audit): sets.NewString(),
"enforceW": sets.NewString(),
"auditW": sets.NewString(),
"enforce": sets.NewString(),
"audit": sets.NewString(),
"enforceW": sets.NewString(),
"auditW": sets.NewString(),
}
for i, vfa := range s.ValidationFailureActionOverrides {
patternList, nsList := utils.SeperateWildcards(vfa.Namespaces)
if vfa.Action == kyvernov1.Audit {
if action[string(kyvernov1.Enforce)].HasAny(nsList...) {
if vfa.Action.Audit() {
if action["enforce"].HasAny(nsList...) {
return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(),
strings.Join(action[string(kyvernov1.Enforce)].Intersection(sets.NewString(nsList...)).List(), ", "))
strings.Join(action["enforce"].Intersection(sets.NewString(nsList...)).List(), ", "))
}
action["auditW"].Insert(patternList...)
} else if vfa.Action == kyvernov1.Enforce {
if action[string(kyvernov1.Audit)].HasAny(nsList...) {
} else if vfa.Action.Enforce() {
if action["audit"].HasAny(nsList...) {
return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(),
strings.Join(action[string(kyvernov1.Audit)].Intersection(sets.NewString(nsList...)).List(), ", "))
strings.Join(action["audit"].Intersection(sets.NewString(nsList...)).List(), ", "))
}
action["enforceW"].Insert(patternList...)
}
action[string(vfa.Action)].Insert(nsList...)
action[strings.ToLower(string(vfa.Action))].Insert(nsList...)
err := validateWildcardsWithNamespaces(action[string(kyvernov1.Enforce)].List(),
action[string(kyvernov1.Audit)].List(), action["enforceW"].List(), action["auditW"].List())
err := validateWildcardsWithNamespaces(action["enforce"].List(), action["audit"].List(), action["enforceW"].List(), action["auditW"].List())
if err != nil {
return fmt.Errorf("path: %s: %s", path.Index(i).Child("namespaces").String(), err.Error())
}

78
pkg/policy/validate_test.go
View file

@ -1640,17 +1640,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc1",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},
@ -1672,17 +1672,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc2",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},
@ -1703,17 +1703,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc3",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default*",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},
@ -1735,17 +1735,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc4",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"*",
},
@ -1767,17 +1767,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc5",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"?*",
},
@ -1799,17 +1799,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc6",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default?",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default1",
},
@ -1831,17 +1831,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc7",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default*",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"?*",
},
@ -1863,16 +1863,16 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc8",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"*",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"?*",
},
@ -1894,17 +1894,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc9",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default*",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
"test*",
@ -1927,17 +1927,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc10",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"*efault",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},
@ -1959,17 +1959,17 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc11",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default-*",
"test",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},
@ -1990,16 +1990,16 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc12",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default*?",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
"test*",
@ -2021,16 +2021,16 @@ func Test_ValidateNamespace(t *testing.T) {
{
description: "tc13",
spec: &kyverno.Spec{
ValidationFailureAction: kyverno.Enforce,
ValidationFailureAction: "Enforce",
ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{
{
Action: kyverno.Enforce,
Action: "Enforce",
Namespaces: []string{
"default?",
},
},
{
Action: kyverno.Audit,
Action: "Audit",
Namespaces: []string{
"default",
},

10
pkg/policycache/cache.go
View file

@ -63,9 +63,9 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace,
keepPolicy := true
switch pkey {
case ValidateAudit:
keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Audit, nspace, policy)
keepPolicy = checkValidationFailureActionOverrides(false, nspace, policy)
case ValidateEnforce:
keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Enforce, nspace, policy)
keepPolicy = checkValidationFailureActionOverrides(true, nspace, policy)
}
if keepPolicy { // add policy to result
policies = append(policies, policy)
@ -74,14 +74,14 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace,
return policies
}
func checkValidationFailureActionOverrides(requestedAction kyvernov1.ValidationFailureAction, ns string, policy kyvernov1.PolicyInterface) bool {
func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool {
validationFailureAction := policy.GetSpec().ValidationFailureAction
validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides
if validationFailureAction != requestedAction && (ns == "" || len(validationFailureActionOverrides) == 0) {
if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) {
return false
}
for _, action := range validationFailureActionOverrides {
if action.Action != requestedAction && kyvernoutils.ContainsNamepace(action.Namespaces, ns) {
if action.Action.Enforce() != enforce && kyvernoutils.ContainsNamepace(action.Namespaces, ns) {
return false
}
}

4
pkg/policycache/store.go
View file

@ -74,11 +74,11 @@ func computeKind(gvk string) string {
}
func computeEnforcePolicy(spec *kyvernov1.Spec) bool {
if spec.GetValidationFailureAction() == kyvernov1.Enforce {
if spec.ValidationFailureAction.Enforce() {
return true
}
for _, k := range spec.ValidationFailureActionOverrides {
if k.Action == kyvernov1.Enforce {
if k.Action.Enforce() {
return true
}
}

2
pkg/utils/engine/response.go
View file

@ -19,7 +19,7 @@ func IsResponseSuccessful(engineReponses []*response.EngineResponse) bool {
// 1. a policy fails (i.e. creates a violation) and validationFailureAction is set to 'enforce'
// 2. a policy has a processing error and failurePolicy is set to 'Fail`
func BlockRequest(er *response.EngineResponse, failurePolicy kyvernov1.FailurePolicyType) bool {
if er.IsFailed() && er.GetValidationFailureAction() == kyvernov1.Enforce {
if er.IsFailed() && er.GetValidationFailureAction().Enforce() {
return true
}
if er.IsError() && failurePolicy == kyvernov1.Fail {

6
pkg/webhooks/resource/handlers_test.go
View file

@ -290,7 +290,7 @@ func Test_AdmissionResponseValid(t *testing.T) {
assert.Equal(t, response.Allowed, true)
assert.Equal(t, len(response.Warnings), 0)
validPolicy.Spec.ValidationFailureAction = kyverno.Enforce
validPolicy.Spec.ValidationFailureAction = "Enforce"
policyCache.Set(key, &validPolicy)
response = handlers.Validate(logger, request, "", time.Now())
@ -323,7 +323,7 @@ func Test_AdmissionResponseInvalid(t *testing.T) {
}
keyInvalid := makeKey(&invalidPolicy)
invalidPolicy.Spec.ValidationFailureAction = kyverno.Enforce
invalidPolicy.Spec.ValidationFailureAction = "Enforce"
policyCache.Set(keyInvalid, &invalidPolicy)
response := handlers.Validate(logger, request, "", time.Now())
@ -364,7 +364,7 @@ func Test_ImageVerify(t *testing.T) {
},
}
policy.Spec.ValidationFailureAction = kyverno.Enforce
policy.Spec.ValidationFailureAction = "Enforce"
policyCache.Set(key, &policy)
response := handlers.Mutate(logger, request, "", time.Now())

18
pkg/webhooks/utils/block_test.go
View file

@ -59,7 +59,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Enforce,
ValidationFailureAction: "Enforce",
Rules: []response.RuleResponse{
{
Name: "rule-fail",
@ -80,7 +80,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Audit,
ValidationFailureAction: "Audit",
Rules: []response.RuleResponse{
{
Name: "rule-fail",
@ -101,7 +101,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Audit,
ValidationFailureAction: "Audit",
Rules: []response.RuleResponse{
{
Name: "rule-error",
@ -122,7 +122,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Audit,
ValidationFailureAction: "Audit",
Rules: []response.RuleResponse{
{
Name: "rule-error",
@ -143,7 +143,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Audit,
ValidationFailureAction: "Audit",
Rules: []response.RuleResponse{
{
Name: "rule-warning",
@ -164,7 +164,7 @@ func TestBlockRequest(t *testing.T) {
engineResponses: []*response.EngineResponse{
{
PolicyResponse: response.PolicyResponse{
ValidationFailureAction: kyvernov1.Audit,
ValidationFailureAction: "Audit",
Rules: []response.RuleResponse{
{
Name: "rule-warning",
@ -205,7 +205,7 @@ func TestGetBlockedMessages(t *testing.T) {
Policy: response.PolicySpec{
Name: "test",
},
ValidationFailureAction: kyvernov1.Enforce,
ValidationFailureAction: "Enforce",
Rules: []response.RuleResponse{
{
Name: "rule-fail",
@ -232,7 +232,7 @@ func TestGetBlockedMessages(t *testing.T) {
Policy: response.PolicySpec{
Name: "test",
},
ValidationFailureAction: kyvernov1.Enforce,
ValidationFailureAction: "Enforce",
Rules: []response.RuleResponse{
{
Name: "rule-error",
@ -259,7 +259,7 @@ func TestGetBlockedMessages(t *testing.T) {
Policy: response.PolicySpec{
Name: "test",
},
ValidationFailureAction: kyvernov1.Enforce,
ValidationFailureAction: "Enforce",
Rules: []response.RuleResponse{
{
Name: "rule-fail",