allow kyverno apply command to continue on failure (#10036)

* allow kyverno apply to continue on failure Signed-off-by: lanting.chiang <lanting.chiang@robinhood.com> * allow kyverno apply to continue on failure Signed-off-by: lanting.chiang <lanting.chiang@robinhood.com> --------- Signed-off-by: lanting.chiang <lanting.chiang@robinhood.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2024-05-06 05:00:54 -04:00 · 2024-05-06 05:00:54 -04:00 · f91bf6529d
commit f91bf6529d
parent cd33b84a62
2 changed files with 11 additions and 0 deletions
--- a/cmd/cli/kubectl-kyverno/commands/apply/command.go
+++ b/cmd/cli/kubectl-kyverno/commands/apply/command.go
@ -67,6 +67,7 @@ type ApplyCommandConfig struct {
 	warnExitCode   int
 	warnNoPassed   bool
 	Exception      []string
+	continueOnFail bool
 }

 func Command() *cobra.Command {
@ -121,6 +122,7 @@ func Command() *cobra.Command {
 	cmd.Flags().BoolVarP(&table, "table", "t", false, "Show results in table format")
 	cmd.Flags().StringSliceVarP(&applyCommandConfig.Exception, "exception", "e", nil, "Policy exception to be considered when evaluating policies against resources")
 	cmd.Flags().StringSliceVarP(&applyCommandConfig.Exception, "exceptions", "", nil, "Policy exception to be considered when evaluating policies against resources")
+	cmd.Flags().BoolVar(&applyCommandConfig.continueOnFail, "continue-on-fail", false, "If set to true, will continue to apply policies on the next resource upon failure to apply to the current resource instead of exiting out")
 	return cmd
 }

@ -234,6 +236,10 @@ func (c *ApplyCommandConfig) applyValidatingAdmissionPolicytoResource(
 		}
 		ers, err := processor.ApplyPolicyOnResource()
 		if err != nil {
+			if c.continueOnFail {
+				fmt.Printf("failed to apply policies on resource %s (%v)\n", resource.GetName(), err)
+				continue
+			}
 			return responses, fmt.Errorf("failed to apply policies on resource %s (%w)", resource.GetName(), err)
 		}
 		responses = append(responses, ers...)
@ -298,6 +304,10 @@ func (c *ApplyCommandConfig) applyPolicytoResource(
 		}
 		ers, err := processor.ApplyPoliciesOnResource()
 		if err != nil {
+			if c.continueOnFail {
+				fmt.Printf("failed to apply policies on resource %v (%v)\n", resource.GetName(), err)
+				continue
+			}
 			return &rc, resources, responses, fmt.Errorf("failed to apply policies on resource %v (%w)", resource.GetName(), err)
 		}
 		responses = append(responses, ers...)
--- a/docs/user/cli/commands/kyverno_apply.md
+++ b/docs/user/cli/commands/kyverno_apply.md
@ -40,6 +40,7 @@ kyverno apply [flags]
      --audit-warn           If set to true, will flag audit policies as warnings instead of failures
  -c, --cluster              Checks if policies should be applied to cluster in the current context
      --context string       The name of the kubeconfig context to use
+      --continue-on-fail     If set to true, will continue to apply policies on the next resource upon failure to apply to the current resource instead of exiting out
      --detailed-results     If set to true, display detailed results
  -e, --exception strings    Policy exception to be considered when evaluating policies against resources
      --exceptions strings   Policy exception to be considered when evaluating policies against resources