precondition failure will skip rule independent of audit or enforce mode (#4163)

* precondition fails will skip rule independent of audit or enforce mode

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

* Added cli-test cases

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

* small fix

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

pkg/engine/validation.go

@@ -215,7 +215,7 @@ func (v *validator) validate() *response.RuleResponse {
 		return ruleError(v.rule, response.Validation, "failed to evaluate preconditions", err)
 	}
 
-	if !preconditionsPassed && (v.ctx.Policy.GetSpec().ValidationFailureAction != kyvernov1.Audit || store.GetMock()) {
+	if !preconditionsPassed {
 		return ruleResponse(*v.rule, response.Validation, "preconditions not met", response.RuleStatusSkip, nil)
 	}
 
@@ -256,7 +256,7 @@ func (v *validator) validateForEach() *response.RuleResponse {
 	preconditionsPassed, err := checkPreconditions(v.log, v.ctx, v.anyAllConditions)
 	if err != nil {
 		return ruleError(v.rule, response.Validation, "failed to evaluate preconditions", err)
-	} else if !preconditionsPassed && (v.ctx.Policy.GetSpec().ValidationFailureAction != kyvernov1.Audit || store.GetMock()) {
+	} else if !preconditionsPassed {
 		return ruleResponse(*v.rule, response.Validation, "preconditions not met", response.RuleStatusSkip, nil)
 	}
 

test/cli/test/policy-reports-skip-validation/kyverno-test.yaml

@@ -0,0 +1,17 @@
+name: disallow-naked-pods
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+variables: values.yaml
+results:
+- policy: disallow-naked-pods
+  rule: validate-naked-pods
+  resource: blank-skip
+  kind: Pod
+  result: skip
+- policy: disallow-naked-pods
+  rule: validate-naked-pods
+  resource: blank-fail
+  kind: Pod
+  result: fail

test/cli/test/policy-reports-skip-validation/policy.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata: 
+  name: disallow-naked-pods
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+  - name: validate-naked-pods
+    match: 
+      any:
+      - resources:
+          kinds:
+          - Pod
+    context:
+      - name: ignorepolicy
+        apiCall:
+          urlPath: "/api/v1/namespaces/{{request.namespace}}"
+          jmesPath: "metadata.annotations.\"policies.example.ignore-policy/disallow-naked-pods\" || ''"
+    preconditions:
+      all:
+      - key: "{{ignorepolicy}}"
+        operator: NotEquals
+        value: "ignore" 
+    validate:
+      message: "naked pods are not allowed"
+      deny:
+        conditions:
+          any:
+          - key: ownerReferences
+            operator: AnyNotIn
+            value: "{{request.object.metadata.keys(@)}}"

test/cli/test/policy-reports-skip-validation/resource.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: blank-skip
+spec:
+  hostIPC: true
+  containers:
+  - name: busybox
+    image: busyboxasdfasdf:1.28
+    args:
+    - sleep
+    - "9999"
+    securityContext:
+      runAsUser: 12345
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: blank-fail
+  labels:
+    foo: bar
+spec:
+  hostIPC: true
+  containers:
+  - name: busybox
+    image: nginx

test/cli/test/policy-reports-skip-validation/values.yaml

@@ -0,0 +1,14 @@
+policies:
+  - name: disallow-naked-pods
+    resources:
+    - name: blank-skip
+     # It doesn't satifies the precondition. Therefore can not proceed
+     # further for validation.
+      values:
+        ignorepolicy: "ignore"
+    - name: blank-fail
+     # It satisfies the precondition. Therefore can proceed
+     # further for validation against policy.
+      values:
+        ignorepolicy: "allowit"
+