ci(cluster-policies): flip .policyignore to an allowlist#2485
Conversation
Upstream kyverno/policies added a new top-level category (job-timeout-enforcer/) that the blocklist-style .policyignore did not match, so the nightly sync leaked its fixture file into a red sync PR (naming-convention + Kubescape NSA gate failures). Any future upstream category addition would break the same way. Flip the file to an allowlist: ignore everything, re-include only the three policies the platform vendors (the ones referenced from the cluster-policies kustomization). Verified by replaying the sync filter's exact last-match-wins logic against the full upstream tree: exactly the 3 vendored files survive. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
📝 WalkthroughWalkthroughThe Changes
Sequence Diagram(s)No sequence diagram generated, as this change is a configuration-only update to ignore rules with no observable code flow. Related Issues: No related issues found. Related PRs: No related pull requests found. Suggested labels: documentation, low-effort Suggested reviewers: devantler 🐰 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
|
🎉 This PR is included in version 1.100.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Why
Upstream kyverno/policies added a new top-level policy category, and because
.policyignorewas a blocklist, the nightly policy sync leaked its fixture file into a red sync PR (#2483 — naming + Kubescape gate failures). Every future upstream category addition would break the same way.What
Flips
.policyignoreto an allowlist: ignore everything upstream, re-include only the three policies the platform actually vendors. Verified by replaying the sync filter's exact matching logic against the full upstream tree — exactly the 3 vendored files survive.After this merges, the next nightly sync regenerates an empty diff and #2483 closes itself.