From d2658a1bc85686400eef229d731f42b26de0dfe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Tue, 1 Nov 2022 09:56:52 +0000 Subject: [PATCH] refactor: support Audit and Enforce validation failure actions (#5152) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: remove policy mutation code Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * refactor: support Audit and Enforce failure actions Signed-off-by: Charles-Edouard Brétéché * codegen Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * typo Signed-off-by: Charles-Edouard Brétéché * update changelog Signed-off-by: ShutingZhao Signed-off-by: Charles-Edouard Brétéché Signed-off-by: ShutingZhao Co-authored-by: shuting Co-authored-by: Vyankatesh Kudtarkar --- CHANGELOG.md | 1 + api/kyverno/v1/spec_types.go | 28 ++++---- api/kyverno/v2beta1/spec_types.go | 11 +-- charts/kyverno/templates/crds.yaml | 8 +++ config/crds/kyverno.io_clusterpolicies.yaml | 4 ++ config/crds/kyverno.io_policies.yaml | 4 ++ config/install.yaml | 8 +++ config/install_debug.yaml | 8 +++ pkg/controllers/metrics/policy/metrics.go | 2 +- pkg/engine/imageVerifyValidate.go | 2 +- pkg/engine/response/response.go | 3 - pkg/engine/validation.go | 2 +- pkg/metrics/parsers.go | 10 +-- pkg/policy/validate.go | 25 ++++--- pkg/policy/validate_test.go | 78 ++++++++++----------- pkg/policycache/cache.go | 10 +-- pkg/policycache/store.go | 4 +- pkg/utils/engine/response.go | 2 +- pkg/webhooks/resource/handlers_test.go | 6 +- pkg/webhooks/utils/block_test.go | 18 ++--- 20 files changed, 125 insertions(+), 109 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d1dc47a2c..e080f40272 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ ### Note - Flag `autogenInternals` was removed, policy mutation has been removed. +- Support upper case `Audit` and `Enforce` in `.spec.validationFailureAction` of the Kyverno policy, failure actions `audit` and `enforce` are deprecated and will be removed in `v1.11.0`. ## v1.8.1-rc3 diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go index f215a82eaa..f63fff9de4 100644 --- a/api/kyverno/v1/spec_types.go +++ b/api/kyverno/v1/spec_types.go @@ -13,12 +13,21 @@ type ValidationFailureAction string // Policy Reporting Modes const ( - // Enforce blocks the request on failure - Enforce ValidationFailureAction = "enforce" - // Audit indicates not to block the request on failure, but report failures as policy violations - Audit ValidationFailureAction = "audit" + // enforceOld blocks the request on failure + // DEPRECATED: use enforce instead + enforceOld ValidationFailureAction = "enforce" + // enforce blocks the request on failure + enforce ValidationFailureAction = "Enforce" ) +func (a ValidationFailureAction) Enforce() bool { + return a == enforce || a == enforceOld +} + +func (a ValidationFailureAction) Audit() bool { + return !a.Enforce() +} + type ValidationFailureActionOverride struct { // +kubebuilder:validation:Enum=audit;enforce Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"` @@ -50,7 +59,7 @@ type Spec struct { // and report an error in a policy report. Optional. // Allowed values are audit or enforce. The default value is "audit". // +optional - // +kubebuilder:validation:Enum=audit;enforce + // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:default=audit ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` @@ -207,15 +216,6 @@ func (s *Spec) GetFailurePolicy() FailurePolicyType { return *s.FailurePolicy } -// GetValidationFailureAction returns the validation failure action to be applied -func (s *Spec) GetValidationFailureAction() ValidationFailureAction { - if s.ValidationFailureAction == "" { - return Audit - } - - return s.ValidationFailureAction -} - // GetFailurePolicy returns the failure policy to be applied func (s *Spec) GetApplyRules() ApplyRulesType { if s.ApplyRules == nil { diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go index 10e6538be3..aec9271759 100644 --- a/api/kyverno/v2beta1/spec_types.go +++ b/api/kyverno/v2beta1/spec_types.go @@ -32,7 +32,7 @@ type Spec struct { // and report an error in a policy report. Optional. // Allowed values are audit or enforce. The default value is "audit". // +optional - // +kubebuilder:validation:Enum=audit;enforce + // +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce // +kubebuilder:default=audit ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` @@ -187,15 +187,6 @@ func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType { return *s.FailurePolicy } -// GetValidationFailureAction returns the validation failure action to be applied -func (s *Spec) GetValidationFailureAction() kyvernov1.ValidationFailureAction { - if s.ValidationFailureAction == "" { - return kyvernov1.Audit - } - - return s.ValidationFailureAction -} - // GetFailurePolicy returns the failure policy to be applied func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType { if s.ApplyRules == nil { diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index c2391c5ca7..33348c5d9e 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -2832,6 +2832,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -6352,6 +6354,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -10496,6 +10500,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. @@ -14016,6 +14022,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index f05e85308b..39e7aca4c0 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -2892,6 +2892,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -8511,6 +8513,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index 95690b2bef..f53d82d06d 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -2893,6 +2893,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -8514,6 +8516,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/install.yaml b/config/install.yaml index 57d5cd0901..ac9fcc3549 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -4214,6 +4214,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -9833,6 +9835,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -16309,6 +16313,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -21930,6 +21936,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/config/install_debug.yaml b/config/install_debug.yaml index 496dc874ce..aaff31cd33 100644 --- a/config/install_debug.yaml +++ b/config/install_debug.yaml @@ -4208,6 +4208,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -9827,6 +9829,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -16300,6 +16304,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy @@ -21921,6 +21927,8 @@ spec: enum: - audit - enforce + - Audit + - Enforce type: string validationFailureActionOverrides: description: ValidationFailureActionOverrides is a Cluster Policy diff --git a/pkg/controllers/metrics/policy/metrics.go b/pkg/controllers/metrics/policy/metrics.go index b1b44293ba..84a6020620 100644 --- a/pkg/controllers/metrics/policy/metrics.go +++ b/pkg/controllers/metrics/policy/metrics.go @@ -54,7 +54,7 @@ func (pc *controller) registerPolicyChangesMetricUpdatePolicy(logger logr.Logger logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", oldP.GetName()) } // curP will require a new kyverno_policy_changes_total metric if the above update involved change in the following fields: - if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.GetValidationFailureAction() != oldSpec.GetValidationFailureAction() { + if curSpec.BackgroundProcessingEnabled() != oldSpec.BackgroundProcessingEnabled() || curSpec.ValidationFailureAction.Enforce() != oldSpec.ValidationFailureAction.Enforce() { err = policyChangesMetric.RegisterPolicy(pc.metricsConfig, curP, policyChangesMetric.PolicyUpdated) if err != nil { logger.Error(err, "error occurred while registering kyverno_policy_changes_total metrics for the above policy's updation", "name", curP.GetName()) diff --git a/pkg/engine/imageVerifyValidate.go b/pkg/engine/imageVerifyValidate.go index 024eb73205..e75bc01627 100644 --- a/pkg/engine/imageVerifyValidate.go +++ b/pkg/engine/imageVerifyValidate.go @@ -35,7 +35,7 @@ func processImageValidationRule(log logr.Logger, ctx *PolicyContext, rule *kyver } if !preconditionsPassed { - if ctx.Policy.GetSpec().ValidationFailureAction == kyvernov1.Audit { + if ctx.Policy.GetSpec().ValidationFailureAction.Audit() { return nil } diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go index ad30a9b671..d3c83cb5b7 100644 --- a/pkg/engine/response/response.go +++ b/pkg/engine/response/response.go @@ -228,9 +228,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string { func (er *EngineResponse) GetValidationFailureAction() kyvernov1.ValidationFailureAction { for _, v := range er.PolicyResponse.ValidationFailureActionOverrides { - if v.Action != kyvernov1.Enforce && v.Action != kyvernov1.Audit { - continue - } for _, ns := range v.Namespaces { if wildcard.Match(ns, er.PatchedResource.GetNamespace()) { return v.Action diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 7cb3140d0b..dce28b97e0 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -78,7 +78,7 @@ func buildResponse(ctx *PolicyContext, resp *response.EngineResponse, startTime resp.PolicyResponse.Resource.Namespace = resp.PatchedResource.GetNamespace() resp.PolicyResponse.Resource.Kind = resp.PatchedResource.GetKind() resp.PolicyResponse.Resource.APIVersion = resp.PatchedResource.GetAPIVersion() - resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().GetValidationFailureAction() + resp.PolicyResponse.ValidationFailureAction = ctx.Policy.GetSpec().ValidationFailureAction for _, v := range ctx.Policy.GetSpec().ValidationFailureActionOverrides { resp.PolicyResponse.ValidationFailureActionOverrides = append(resp.PolicyResponse.ValidationFailureActionOverrides, response.ValidationFailureActionOverride{Action: v.Action, Namespaces: v.Namespaces}) diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go index e16423c696..04d8e77362 100644 --- a/pkg/metrics/parsers.go +++ b/pkg/metrics/parsers.go @@ -9,14 +9,10 @@ import ( ) func ParsePolicyValidationMode(validationFailureAction kyvernov1.ValidationFailureAction) (PolicyValidationMode, error) { - switch validationFailureAction { - case kyvernov1.Enforce: + if validationFailureAction.Enforce() { return Enforce, nil - case kyvernov1.Audit: - return Audit, nil - default: - return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit") } + return Audit, nil } func ParsePolicyBackgroundMode(policy kyvernov1.PolicyInterface) PolicyBackgroundMode { @@ -76,6 +72,6 @@ func GetPolicyInfos(policy kyvernov1.PolicyInterface) (string, string, PolicyTyp policyType = Namespaced } backgroundMode := ParsePolicyBackgroundMode(policy) - validationMode, err := ParsePolicyValidationMode(policy.GetSpec().GetValidationFailureAction()) + validationMode, err := ParsePolicyValidationMode(policy.GetSpec().ValidationFailureAction) return name, namespace, policyType, backgroundMode, validationMode, err } diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index a14f771ddf..63b2758c6a 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1142,32 +1142,31 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string) func validateNamespaces(s *kyvernov1.Spec, path *field.Path) error { action := map[string]sets.String{ - string(kyvernov1.Enforce): sets.NewString(), - string(kyvernov1.Audit): sets.NewString(), - "enforceW": sets.NewString(), - "auditW": sets.NewString(), + "enforce": sets.NewString(), + "audit": sets.NewString(), + "enforceW": sets.NewString(), + "auditW": sets.NewString(), } for i, vfa := range s.ValidationFailureActionOverrides { patternList, nsList := utils.SeperateWildcards(vfa.Namespaces) - if vfa.Action == kyvernov1.Audit { - if action[string(kyvernov1.Enforce)].HasAny(nsList...) { + if vfa.Action.Audit() { + if action["enforce"].HasAny(nsList...) { return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(), - strings.Join(action[string(kyvernov1.Enforce)].Intersection(sets.NewString(nsList...)).List(), ", ")) + strings.Join(action["enforce"].Intersection(sets.NewString(nsList...)).List(), ", ")) } action["auditW"].Insert(patternList...) - } else if vfa.Action == kyvernov1.Enforce { - if action[string(kyvernov1.Audit)].HasAny(nsList...) { + } else if vfa.Action.Enforce() { + if action["audit"].HasAny(nsList...) { return fmt.Errorf("conflicting namespaces found in path: %s: %s", path.Index(i).Child("namespaces").String(), - strings.Join(action[string(kyvernov1.Audit)].Intersection(sets.NewString(nsList...)).List(), ", ")) + strings.Join(action["audit"].Intersection(sets.NewString(nsList...)).List(), ", ")) } action["enforceW"].Insert(patternList...) } - action[string(vfa.Action)].Insert(nsList...) + action[strings.ToLower(string(vfa.Action))].Insert(nsList...) - err := validateWildcardsWithNamespaces(action[string(kyvernov1.Enforce)].List(), - action[string(kyvernov1.Audit)].List(), action["enforceW"].List(), action["auditW"].List()) + err := validateWildcardsWithNamespaces(action["enforce"].List(), action["audit"].List(), action["enforceW"].List(), action["auditW"].List()) if err != nil { return fmt.Errorf("path: %s: %s", path.Index(i).Child("namespaces").String(), err.Error()) } diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index e5587e2ebe..667536002b 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -1640,17 +1640,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc1", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, @@ -1672,17 +1672,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc2", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, @@ -1703,17 +1703,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc3", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default*", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, @@ -1735,17 +1735,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc4", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "*", }, @@ -1767,17 +1767,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc5", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "?*", }, @@ -1799,17 +1799,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc6", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default?", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default1", }, @@ -1831,17 +1831,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc7", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default*", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "?*", }, @@ -1863,16 +1863,16 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc8", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "*", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "?*", }, @@ -1894,17 +1894,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc9", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default*", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", "test*", @@ -1927,17 +1927,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc10", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "*efault", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, @@ -1959,17 +1959,17 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc11", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default-*", "test", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, @@ -1990,16 +1990,16 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc12", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default*?", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", "test*", @@ -2021,16 +2021,16 @@ func Test_ValidateNamespace(t *testing.T) { { description: "tc13", spec: &kyverno.Spec{ - ValidationFailureAction: kyverno.Enforce, + ValidationFailureAction: "Enforce", ValidationFailureActionOverrides: []kyverno.ValidationFailureActionOverride{ { - Action: kyverno.Enforce, + Action: "Enforce", Namespaces: []string{ "default?", }, }, { - Action: kyverno.Audit, + Action: "Audit", Namespaces: []string{ "default", }, diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go index b1e4892e4b..0318cd2416 100644 --- a/pkg/policycache/cache.go +++ b/pkg/policycache/cache.go @@ -63,9 +63,9 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace, keepPolicy := true switch pkey { case ValidateAudit: - keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Audit, nspace, policy) + keepPolicy = checkValidationFailureActionOverrides(false, nspace, policy) case ValidateEnforce: - keepPolicy = checkValidationFailureActionOverrides(kyvernov1.Enforce, nspace, policy) + keepPolicy = checkValidationFailureActionOverrides(true, nspace, policy) } if keepPolicy { // add policy to result policies = append(policies, policy) @@ -74,14 +74,14 @@ func filterPolicies(pkey PolicyType, result []kyvernov1.PolicyInterface, nspace, return policies } -func checkValidationFailureActionOverrides(requestedAction kyvernov1.ValidationFailureAction, ns string, policy kyvernov1.PolicyInterface) bool { +func checkValidationFailureActionOverrides(enforce bool, ns string, policy kyvernov1.PolicyInterface) bool { validationFailureAction := policy.GetSpec().ValidationFailureAction validationFailureActionOverrides := policy.GetSpec().ValidationFailureActionOverrides - if validationFailureAction != requestedAction && (ns == "" || len(validationFailureActionOverrides) == 0) { + if validationFailureAction.Enforce() != enforce && (ns == "" || len(validationFailureActionOverrides) == 0) { return false } for _, action := range validationFailureActionOverrides { - if action.Action != requestedAction && kyvernoutils.ContainsNamepace(action.Namespaces, ns) { + if action.Action.Enforce() != enforce && kyvernoutils.ContainsNamepace(action.Namespaces, ns) { return false } } diff --git a/pkg/policycache/store.go b/pkg/policycache/store.go index d4e6f3e0a3..2e9268b963 100644 --- a/pkg/policycache/store.go +++ b/pkg/policycache/store.go @@ -74,11 +74,11 @@ func computeKind(gvk string) string { } func computeEnforcePolicy(spec *kyvernov1.Spec) bool { - if spec.GetValidationFailureAction() == kyvernov1.Enforce { + if spec.ValidationFailureAction.Enforce() { return true } for _, k := range spec.ValidationFailureActionOverrides { - if k.Action == kyvernov1.Enforce { + if k.Action.Enforce() { return true } } diff --git a/pkg/utils/engine/response.go b/pkg/utils/engine/response.go index b76f9fda4b..a6136b98d5 100644 --- a/pkg/utils/engine/response.go +++ b/pkg/utils/engine/response.go @@ -19,7 +19,7 @@ func IsResponseSuccessful(engineReponses []*response.EngineResponse) bool { // 1. a policy fails (i.e. creates a violation) and validationFailureAction is set to 'enforce' // 2. a policy has a processing error and failurePolicy is set to 'Fail` func BlockRequest(er *response.EngineResponse, failurePolicy kyvernov1.FailurePolicyType) bool { - if er.IsFailed() && er.GetValidationFailureAction() == kyvernov1.Enforce { + if er.IsFailed() && er.GetValidationFailureAction().Enforce() { return true } if er.IsError() && failurePolicy == kyvernov1.Fail { diff --git a/pkg/webhooks/resource/handlers_test.go b/pkg/webhooks/resource/handlers_test.go index dc6330dadc..4657366985 100644 --- a/pkg/webhooks/resource/handlers_test.go +++ b/pkg/webhooks/resource/handlers_test.go @@ -290,7 +290,7 @@ func Test_AdmissionResponseValid(t *testing.T) { assert.Equal(t, response.Allowed, true) assert.Equal(t, len(response.Warnings), 0) - validPolicy.Spec.ValidationFailureAction = kyverno.Enforce + validPolicy.Spec.ValidationFailureAction = "Enforce" policyCache.Set(key, &validPolicy) response = handlers.Validate(logger, request, "", time.Now()) @@ -323,7 +323,7 @@ func Test_AdmissionResponseInvalid(t *testing.T) { } keyInvalid := makeKey(&invalidPolicy) - invalidPolicy.Spec.ValidationFailureAction = kyverno.Enforce + invalidPolicy.Spec.ValidationFailureAction = "Enforce" policyCache.Set(keyInvalid, &invalidPolicy) response := handlers.Validate(logger, request, "", time.Now()) @@ -364,7 +364,7 @@ func Test_ImageVerify(t *testing.T) { }, } - policy.Spec.ValidationFailureAction = kyverno.Enforce + policy.Spec.ValidationFailureAction = "Enforce" policyCache.Set(key, &policy) response := handlers.Mutate(logger, request, "", time.Now()) diff --git a/pkg/webhooks/utils/block_test.go b/pkg/webhooks/utils/block_test.go index d8be07fc59..e0b5f50fc9 100644 --- a/pkg/webhooks/utils/block_test.go +++ b/pkg/webhooks/utils/block_test.go @@ -59,7 +59,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Enforce, + ValidationFailureAction: "Enforce", Rules: []response.RuleResponse{ { Name: "rule-fail", @@ -80,7 +80,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Audit, + ValidationFailureAction: "Audit", Rules: []response.RuleResponse{ { Name: "rule-fail", @@ -101,7 +101,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Audit, + ValidationFailureAction: "Audit", Rules: []response.RuleResponse{ { Name: "rule-error", @@ -122,7 +122,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Audit, + ValidationFailureAction: "Audit", Rules: []response.RuleResponse{ { Name: "rule-error", @@ -143,7 +143,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Audit, + ValidationFailureAction: "Audit", Rules: []response.RuleResponse{ { Name: "rule-warning", @@ -164,7 +164,7 @@ func TestBlockRequest(t *testing.T) { engineResponses: []*response.EngineResponse{ { PolicyResponse: response.PolicyResponse{ - ValidationFailureAction: kyvernov1.Audit, + ValidationFailureAction: "Audit", Rules: []response.RuleResponse{ { Name: "rule-warning", @@ -205,7 +205,7 @@ func TestGetBlockedMessages(t *testing.T) { Policy: response.PolicySpec{ Name: "test", }, - ValidationFailureAction: kyvernov1.Enforce, + ValidationFailureAction: "Enforce", Rules: []response.RuleResponse{ { Name: "rule-fail", @@ -232,7 +232,7 @@ func TestGetBlockedMessages(t *testing.T) { Policy: response.PolicySpec{ Name: "test", }, - ValidationFailureAction: kyvernov1.Enforce, + ValidationFailureAction: "Enforce", Rules: []response.RuleResponse{ { Name: "rule-error", @@ -259,7 +259,7 @@ func TestGetBlockedMessages(t *testing.T) { Policy: response.PolicySpec{ Name: "test", }, - ValidationFailureAction: kyvernov1.Enforce, + ValidationFailureAction: "Enforce", Rules: []response.RuleResponse{ { Name: "rule-fail",