Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failurePolicy Ignore vs enforcing policies #893

Closed
rubroboletus opened this issue Jun 1, 2020 · 4 comments · Fixed by #2425
Closed

failurePolicy Ignore vs enforcing policies #893

rubroboletus opened this issue Jun 1, 2020 · 4 comments · Fixed by #2425
Assignees
@realshuting
Labels
end user This label is used to track the issue that is raised by the end user. enhancement New feature or request HA High Availability
Milestone
Kyverno Release 1...

Comments

@rubroboletus
Copy link

All webhooks have failurePolicy=ignore, but that can cause problems when you wanna to enforce policies on your cluster. Also updateStrategy for Deployment is not ideal. Consider using maxSurge: 1;maxUnavailable: 40%. Then with 1 running Pod, new one will be created first and old one Terminated on success. Also for enforcing rules, maybe better solution is to set failurePolicy=Fail, setting up proper timeout and namespaceSelector.matchExpressions: with good expression and label to kyverno namespace.
@rubroboletus rubroboletus added the enhancement New feature or request label Jun 1, 2020
@JimBugwadia
Copy link
Member

JimBugwadia commented Jun 2, 2020
edited

@rubroboletus thanks! I agree with your suggestions on the webhook defaults and deployment strategy. However, can you please elaborate on this?

Also for enforcing rules, maybe better solution is to set failurePolicy=Fail, setting up proper timeout and namespaceSelector.matchExpressions: with good expression and label to kyverno namespace.

What namespace selector are you referring to?

@rubroboletus
Copy link
Author

@JimBugwadia namespace selector for webhook, from K8s documentation:

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
...
webhooks:

  • name: my-webhook.example.com
    namespaceSelector:
    matchExpressions:
    • key: namespace
      operator: NotIn
      values: ["kyverno"]
      rules:
    • operations: ["CREATE"]
      apiGroups: [""]
      apiVersions: ["      "]
      resources: ["*"]
      scope: "Namespaced"
      ...

but there is a risk, when someone labels another namespace with "namespace=kyverno". So this must be done with RBAC rule disallowing K8s operators to modify / add namespace labels, or kyverno rule disallowing to modify / add labels with name "namespace".

@JimBugwadia
Copy link
Member

Release 1.4 will introduce HA options. We can then revisit the default webhook configuration.

@JimBugwadia JimBugwadia added this to the Kyverno Release 1.4.0 milestone Feb 9, 2021
@realshuting realshuting added the HA High Availability label Apr 2, 2021
This was referenced Jun 8, 2021
Closed
Closed
Closed
@yanniszark yanniszark mentioned this issue Jun 10, 2021
Closed
@realshuting realshuting added the end user This label is used to track the issue that is raised by the end user. label Aug 4, 2021
@realshuting
Copy link
Member

Hi @rubroboletus - namespaceSelector is supported now, please see https://kyverno.io/docs/installation/#webhooks for details.

For all other configurations, please track via #1981, #1995.

@realshuting realshuting mentioned this issue Oct 4, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@realshuting realshuting

Labels
end user This label is used to track the issue that is raised by the end user. enhancement New feature or request HA High Availability
Projects
None yet
Milestone
Kyverno Release 1.5.0
Development

Successfully merging a pull request may close this issue.

Dynamic webhooks realshuting/kyverno
3 participants
@JimBugwadia @rubroboletus @realshuting