diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index 35caa4f4fe..be2ab6a293 100755
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -525,9 +525,3 @@ type ResourceSpec struct {
// Name specifies the resource name.
Name string `json:"name,omitempty" yaml:"name,omitempty"`
}
-
-type ValidationFailureActionOverride struct {
- // +kubebuilder:validation:Enum=audit;enforce
- Action string `json:"action,omitempty" yaml:"action,omitempty"`
- Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
-}
diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go
index 3de485c7ba..6ba5528116 100644
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@@ -7,6 +7,23 @@ import (
"k8s.io/apimachinery/pkg/util/validation/field"
)
+// ValidationFailureAction defines the policy validation failure action
+type ValidationFailureAction string
+
+// Policy Reporting Modes
+const (
+ // Enforce blocks the request on failure
+ Enforce ValidationFailureAction = "enforce"
+ // Audit indicates not to block the request on failure, but report failiures as policy violations
+ Audit ValidationFailureAction = "audit"
+)
+
+type ValidationFailureActionOverride struct {
+ // +kubebuilder:validation:Enum=audit;enforce
+ Action ValidationFailureAction `json:"action,omitempty" yaml:"action,omitempty"`
+ Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"`
+}
+
// Spec contains a list of Rule instances and other policy controls.
type Spec struct {
// Rules is a list of Rule instances. A Policy contains multiple rules and
@@ -24,7 +41,7 @@ type Spec struct {
// and report an error in a policy report. Optional. The default value is "audit".
// +optional
// +kubebuilder:validation:Enum=audit;enforce
- ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
+ ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
index 41b0b32f42..9eb485acf0 100644
--- a/charts/kyverno/templates/crds.yaml
+++ b/charts/kyverno/templates/crds.yaml
@@ -1344,6 +1344,7 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation failure action
enum:
- audit
- enforce
@@ -4782,6 +4783,7 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation failure action
enum:
- audit
- enforce
diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml
index 8d465e2b13..491b11bffe 100644
--- a/config/crds/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno.io_clusterpolicies.yaml
@@ -2145,6 +2145,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml
index aefae23cc7..157e7b6e26 100644
--- a/config/crds/kyverno.io_policies.yaml
+++ b/config/crds/kyverno.io_policies.yaml
@@ -2146,6 +2146,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
diff --git a/config/install.yaml b/config/install.yaml
index 25f9da55ba..f8b76dcad5 100644
--- a/config/install.yaml
+++ b/config/install.yaml
@@ -2161,6 +2161,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
@@ -7434,6 +7436,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
diff --git a/config/install_debug.yaml b/config/install_debug.yaml
index 53792e7fa2..a1ca447a1a 100755
--- a/config/install_debug.yaml
+++ b/config/install_debug.yaml
@@ -2150,6 +2150,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
@@ -7399,6 +7401,8 @@ spec:
items:
properties:
action:
+ description: ValidationFailureAction defines the policy validation
+ failure action
enum:
- audit
- enforce
diff --git a/docs/crd/v1/index.html b/docs/crd/v1/index.html
index 05ac040c72..91be6477f6 100644
--- a/docs/crd/v1/index.html
+++ b/docs/crd/v1/index.html
@@ -397,7 +397,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.
validationFailureAction
-string
+
+ValidationFailureAction
+
|
@@ -1646,7 +1648,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.
|
validationFailureAction
-string
+
+ValidationFailureAction
+
|
@@ -2313,7 +2317,9 @@ Allowed values are Ignore or Fail. Defaults to Fail.
|
validationFailureAction
-string
+
+ValidationFailureAction
+
|
@@ -2525,6 +2531,16 @@ Deny
+ValidationFailureAction
+(string alias)
+
+(Appears on:
+Spec,
+ValidationFailureActionOverride)
+
+
+ ValidationFailureAction defines the policy validation failure action
+
ValidationFailureActionOverride
@@ -2545,7 +2561,9 @@ Deny
|
action
-string
+
+ValidationFailureAction
+
|
diff --git a/pkg/common/common.go b/pkg/common/common.go
index 9d983ba4f2..81e5655226 100644
--- a/pkg/common/common.go
+++ b/pkg/common/common.go
@@ -20,14 +20,6 @@ import (
"sigs.k8s.io/controller-runtime/pkg/log"
)
-// Policy Reporting Modes
-const (
- // Enforce blocks the request on failure
- Enforce = "enforce"
- // Audit indicates not to block the request on failure, but report failiures as policy violations
- Audit = "audit"
-)
-
// Policy Reporting Types
const (
PolicyViolation = "POLICYVIOLATION"
diff --git a/pkg/engine/response/response.go b/pkg/engine/response/response.go
index 6eec128eba..464a080b53 100644
--- a/pkg/engine/response/response.go
+++ b/pkg/engine/response/response.go
@@ -31,7 +31,7 @@ type PolicyResponse struct {
// rule response
Rules []RuleResponse `json:"rules"`
// ValidationFailureAction: audit (default) or enforce
- ValidationFailureAction string
+ ValidationFailureAction kyverno.ValidationFailureAction
ValidationFailureActionOverrides []ValidationFailureActionOverride
}
@@ -177,6 +177,6 @@ func (er EngineResponse) getRules(status RuleStatus) []string {
}
type ValidationFailureActionOverride struct {
- Action string `json:"action"`
- Namespaces []string `json:"namespaces"`
+ Action kyverno.ValidationFailureAction `json:"action"`
+ Namespaces []string `json:"namespaces"`
}
diff --git a/pkg/metrics/parsers.go b/pkg/metrics/parsers.go
index ed4dc904b5..5b1f95a26e 100644
--- a/pkg/metrics/parsers.go
+++ b/pkg/metrics/parsers.go
@@ -7,11 +7,11 @@ import (
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
)
-func ParsePolicyValidationMode(validationFailureAction string) (PolicyValidationMode, error) {
+func ParsePolicyValidationMode(validationFailureAction kyverno.ValidationFailureAction) (PolicyValidationMode, error) {
switch validationFailureAction {
- case "enforce":
+ case kyverno.Enforce:
return Enforce, nil
- case "audit":
+ case kyverno.Audit:
return Audit, nil
default:
return "", fmt.Errorf("wrong validation failure action found %s. Allowed: '%s', '%s'", validationFailureAction, "enforce", "audit")
diff --git a/pkg/policycache/cache.go b/pkg/policycache/cache.go
index 561bd51145..c6ccde8242 100644
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@@ -104,9 +104,9 @@ func (m *pMap) add(policy *kyverno.ClusterPolicy) {
m.Lock()
defer m.Unlock()
- enforcePolicy := policy.Spec.ValidationFailureAction == common.Enforce
+ enforcePolicy := policy.Spec.ValidationFailureAction == kyverno.Enforce
for _, k := range policy.Spec.ValidationFailureActionOverrides {
- if k.Action == common.Enforce {
+ if k.Action == kyverno.Enforce {
enforcePolicy = true
break
}
diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go
index 17af444c17..1b9d47988d 100644
--- a/pkg/policymutation/policymutation.go
+++ b/pkg/policymutation/policymutation.go
@@ -182,7 +182,7 @@ func defaultBackgroundFlag(spec *kyverno.Spec, log logr.Logger) ([]byte, string)
func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte, string) {
// set ValidationFailureAction to "audit" if not specified
- Audit := common.Audit
+ Audit := kyverno.Audit
if spec.ValidationFailureAction == "" {
log.V(4).Info("setting default value", "spec.validationFailureAction", Audit)
@@ -193,7 +193,7 @@ func defaultvalidationFailureAction(spec *kyverno.Spec, log logr.Logger) ([]byte
}{
"/spec/validationFailureAction",
"add",
- Audit,
+ string(Audit),
}
patchByte, err := json.Marshal(jsonPatch)
diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go
index 2b7793d085..99bb7589eb 100644
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@@ -6,7 +6,6 @@ import (
"github.com/go-logr/logr"
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
- "github.com/kyverno/kyverno/pkg/common"
"github.com/kyverno/kyverno/pkg/engine/response"
engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
"github.com/minio/pkg/wildcard"
@@ -27,12 +26,12 @@ func isResponseSuccessful(engineReponses []*response.EngineResponse) bool {
}
func checkEngineResponse(er *response.EngineResponse) bool {
- nsAction := ""
+ var nsAction kyverno.ValidationFailureAction
actionOverride := false
for _, v := range er.PolicyResponse.ValidationFailureActionOverrides {
action := v.Action
- if action != common.Enforce && action != common.Audit {
+ if action != kyverno.Enforce && action != kyverno.Audit {
continue
}
@@ -49,7 +48,7 @@ func checkEngineResponse(er *response.EngineResponse) bool {
}
}
- return !er.IsSuccessful() && ((actionOverride && nsAction == common.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == common.Enforce))
+ return !er.IsSuccessful() && ((actionOverride && nsAction == kyverno.Enforce) || (!actionOverride && er.PolicyResponse.ValidationFailureAction == kyverno.Enforce))
}
// returns true -> if there is even one policy that blocks resource request
|