mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

refactor: add ValidationFailureAction to the api (#3451)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Co-authored-by: Prateek Pandey <prateek.pandey@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2022-03-23 09:59:41 +01:00 committed by GitHub
parent 65409890b4
commit f34d3c342d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
14 changed files with 67 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/common_types.go
View file

@ -525,9 +525,3 @@ type ResourceSpec struct {
// Name specifies the resource name.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}
type ValidationFailureActionOverride struct {
// +kubebuilder:validation:Enum=audit;enforce
Action string `json:"action,omitempty" yaml:"action,omitempty"`
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
}

19
api/kyverno/v1/spec_types.go
View file

@ -7,6 +7,23 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
)
// ValidationFailureAction defines the policy validation failure action
type ValidationFailureAction string
// Policy Reporting Modes
const (
// Enforce blocks the request on failure
Enforce ValidationFailureAction = "enforce"
// Audit indicates not to block the request on failure, but report failiures as policy violations
Audit ValidationFailureAction = "audit"
)
type ValidationFailureActionOverride struct {
// +kubebuilder:validation:Enum=audit;enforce
Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
}
// Spec contains a list of Rule instances and other policy controls.
type Spec struct {
// Rules is a list of Rule instances. A Policy contains multiple rules and
@ -24,7 +41,7 @@ type Spec struct {
// and report an error in a policy report. Optional. The default value is "audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce
ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.

2
charts/kyverno/templates/crds.yaml
View file

@ -1344,6 +1344,7 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation failure action
enum:
- audit
- enforce
@ -4782,6 +4783,7 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation failure action
enum:
- audit
- enforce

2
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -2145,6 +2145,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce

2
config/crds/kyverno.io_policies.yaml
View file

@ -2146,6 +2146,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce

4
config/install.yaml
View file

@ -2161,6 +2161,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce
@ -7434,6 +7436,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce

4
config/install_debug.yaml
View file

@ -2150,6 +2150,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce
@ -7399,6 +7401,8 @@ spec:
items:
properties:
action:
description: ValidationFailureAction defines the policy validation
failure action
enum:
- audit
- enforce

26
docs/crd/v1/index.html
View file

@ -397,7 +397,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.</p>
<td>
<code>validationFailureAction</code></br>
<em>
string
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>
@ -1646,7 +1648,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.</p>
<td>
<code>validationFailureAction</code></br>
<em>
string
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>
@ -2313,7 +2317,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.</p>
<td>
<code>validationFailureAction</code></br>
<em>
string
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>
@ -2525,6 +2531,16 @@ Deny
</tbody>
</table>
<hr />
<h3 id="kyverno.io/v1.ValidationFailureAction">ValidationFailureAction
(<code>string</code> alias)</p></h3>
<p>
(<em>Appears on:</em>
<a href="#kyverno.io/v1.Spec">Spec</a>,
<a href="#kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride</a>)
</p>
<p>
<p>ValidationFailureAction defines the policy validation failure action</p>
</p>
<h3 id="kyverno.io/v1.ValidationFailureActionOverride">ValidationFailureActionOverride
</h3>
<p>
@ -2545,7 +2561,9 @@ Deny
<td>
<code>action</code></br>
<em>
string
<a href="#kyverno.io/v1.ValidationFailureAction">
ValidationFailureAction
</a>
</em>
</td>
<td>

8
pkg/common/common.go
View file

@ -20,14 +20,6 @@ import (
"sigs.k8s.io/controller-runtime/pkg/log"
)
// Policy Reporting Modes
const (
// Enforce blocks the request on failure
Enforce = "enforce"
// Audit indicates not to block the request on failure, but report failiures as policy violations
Audit = "audit"
)
// Policy Reporting Types
const (
PolicyViolation = "POLICYVIOLATION"

6
pkg/engine/response/response.go
View file

@ -31,7 +31,7 @@ type PolicyResponse struct {
// rule response
Rules []RuleResponse `json:"rules"`
// ValidationFailureAction: audit (default) or enforce
ValidationFailureAction string
ValidationFailureAction kyverno.ValidationFailureAction
ValidationFailureActionOverrides []ValidationFailureActionOverride
}
@ -177,6 +177,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string {
}
type ValidationFailureActionOverride struct {
Action string `json:"action"`
Namespaces []string `json:"namespaces"`
Action kyverno.ValidationFailureAction `json:"action"`
Namespaces []string `json:"namespaces"`
}

6
pkg/metrics/parsers.go
View file

@ -7,11 +7,11 @@ import (
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
)
func ParsePolicyValidationMode(validationFailureAction string) (PolicyValidationMode, error) {
func ParsePolicyValidationMode(validationFailureAction kyverno.ValidationFailureAction) (PolicyValidationMode, error) {
switch validationFailureAction {
case "enforce":
case kyverno.Enforce:
return Enforce, nil
case "audit":
case kyverno.Audit:
return Audit, nil
default:
return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit")

4
pkg/policycache/cache.go
View file

@ -104,9 +104,9 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) {
m.Lock()
defer m.Unlock()
enforcePolicy := policy.Spec.ValidationFailureAction == common.Enforce
enforcePolicy := policy.Spec.ValidationFailureAction == kyverno.Enforce
for _, k := range policy.Spec.ValidationFailureActionOverrides {
if k.Action == common.Enforce {
if k.Action == kyverno.Enforce {
enforcePolicy = true
break
}

4
pkg/policymutation/policymutation.go
View file

@ -182,7 +182,7 @@ func defaultBackgroundFlag(spec *kyverno.Spec, log logr.Logger) ([]byte, string)
func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte, string) {
// set ValidationFailureAction to "audit" if not specified
Audit := common.Audit
Audit := kyverno.Audit
if spec.ValidationFailureAction == "" {
log.V(4).Info("setting default value", "spec.validationFailureAction", Audit)
@ -193,7 +193,7 @@ func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte
}{
"/spec/validationFailureAction",
"add",
Audit,
string(Audit),
}
patchByte, err := json.Marshal(jsonPatch)

7
pkg/webhooks/common.go
View file

@ -6,7 +6,6 @@ import (
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/common"
"github.com/kyverno/kyverno/pkg/engine/response"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/minio/pkg/wildcard"
@ -27,12 +26,12 @@ func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {
}
func checkEngineResponse(er *response.EngineResponse) bool {
nsAction := ""
var nsAction kyverno.ValidationFailureAction
actionOverride := false
for _, v := range er.PolicyResponse.ValidationFailureActionOverrides {
action := v.Action
if action != common.Enforce && action != common.Audit {
if action != kyverno.Enforce && action != kyverno.Audit {
continue
}
@ -49,7 +48,7 @@ func checkEngineResponse(er *response.EngineResponse) bool {
}
}
return !er.IsSuccessful() && ((actionOverride && nsAction == common.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == common.Enforce))
return !er.IsSuccessful() && ((actionOverride && nsAction == kyverno.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == kyverno.Enforce))
}
// returns true -> if there is even one policy that blocks resource request