-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Setting validationFailureAction to enforce is going to enforce it for every Policy. #567
Comments
@f1ko This is known behavior of current logic, we would block the request when there is an enforce policy exists, no matter which policy this request violates, and report policy violations on those audit policies, see discussion here. It does seem a bit confusing that flag |
The fix is in #601. Now the expected behavior is that each policy will be blocked on its own
|
There was one concern from @shivdudhani with regard to removing violations reported on resource owner (for enforce policy):
The initial proposal to create violation with owner was to report / alarm something wrong happens rather than going silent, most cases, on podControllers. @JimBugwadia Any inputs? |
Since we introduced variable substitution feature, now the policy can be flexible on the resource that applies to. The idea is to re-use some patterns defined in the rule to extend the policy. For example, argo-rollouts is a CRD that refer to the Deployment, and sequentially create pods. |
Close via #601. |
Describe the bug
Setting
validationFailureAction: enforce
for one policy is going to enforce it on every policy.To Reproduce
a5aa8669ff772134aa2b1dac92b9bb15c7b1e68c
.validationFailureAction
set toaudit
on both of them).validationFailureAction
toenforce
.validationFailureAction
set toaudit
.Expected behavior
Each policy should act according to its own
validationFailureAction
.The text was updated successfully, but these errors were encountered: