Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allowing users to skip policy validation when mutating resources #2365

Merged
merged 3 commits into from
Sep 8, 2021
Merged

allowing users to skip policy validation when mutating resources #2365

merged 3 commits into from
Sep 8, 2021

Conversation

vyankyGH
Copy link
Contributor

@vyankyGH vyankyGH commented Sep 7, 2021
edited

Signed-off-by: Vyankatesh vyankateshkd@gmail.com

Related issue

closes #2185

Milestone of this PR

/milestone 1.4.3

What type of PR is this

Introduce a key under the spec which allows skipping policy validation checks.

Proposed Changes

Proof Manifests

old_Policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: policy-change-memory-limits
  # env array needs to exist (least one env var is present)
  annotations:
    pod-policies.kyverno.io/autogen-controllers: None
spec:
  background: false
  rules:
  - name: pod-containers-1-inject-image
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{request.object.spec.containers[] | length(@)}}"
        operator: Equals
        value: "1"
    mutate:
      patchesJson6902: |-
        - op: add
          path: "/spec/containers/0/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
  - name: pod-containers-2-inject-image
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{request.object.spec.containers[] | length(@)}}"
        operator: Equals
        value: "2"
    mutate:
      patchesJson6902: |-
        - op: add
          path: "/spec/containers/0/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
        - op: add
          path: "/spec/containers/1/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"}

output:

Error from server: error when creating ".\\yamls\\2185\\policy.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: ValidationError(io.k8s.api.core.v1.Pod.spec.containers[1].env): invalid type for io.k8s.api.core.v1.Container.env: got "map", expected "array"
ValidationError(io.k8s.api.core.v1.Pod.spec.containers[1]): missing required field "name" in io.k8s.api.core.v1.Container

After Adding

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: policy-change-memory-limit
  # env array needs to exist (least one env var is present)
  annotations:
    pod-policies.kyverno.io/autogen-controllers: None
spec:
  background: false
  schemaValidation: false
  rules:
  - name: pod-containers-1-inject-image
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{request.object.spec.containers[] | length(@)}}"
        operator: Equals
        value: "1"
    mutate:
      patchesJson6902: |-
        - op: add
          path: "/spec/containers/0/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
  - name: pod-containers-2-inject-image
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{request.object.spec.containers[] | length(@)}}"
        operator: Equals
        value: "2"
    mutate:
      patchesJson6902: |-
        - op: add
          path: "/spec/containers/0/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[0].image}}"}
        - op: add
          path: "/spec/containers/1/env/-"
          value: {"name":"K8S_IMAGE","value":"{{request.object.spec.containers[1].image}}"}

output:
clusterpolicy.kyverno.io/policy-change-memory-limits created

Checklist

  • I have read the contributing guidelines.
  • I have added tests that prove my fix is effective or that my feature works.
  • My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@vyankyGH vyankyGH added the wip work in progress label Sep 7, 2021
@vyankyGH
Copy link
Contributor Author

vyankyGH commented Sep 7, 2021

Documentation required.

@vyankyGH vyankyGH removed the wip work in progress label Sep 7, 2021
realshuting
realshuting requested changes Sep 8, 2021
View reviewed changes
Copy link
Member

@realshuting realshuting left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, added minor comments.

Let's open an issue to track the doc update.

pkg/api/kyverno/v1/policy_types.go Outdated Show resolved Hide resolved
pkg/api/kyverno/v1/policy_types.go Outdated Show resolved Hide resolved
@vyankyGH
Copy link
Contributor Author

vyankyGH commented Sep 8, 2021

Looks good overall, added minor comments.

Let's open an issue to track the doc update.

Okay

@realshuting realshuting merged commit 1253061 into kyverno:main Sep 8, 2021
@chipzoller chipzoller mentioned this pull request Sep 8, 2021
Closed
@chipzoller
Copy link
Member

Is this tracking for 1.4.3?

@realshuting
Copy link
Member

Is this tracking for 1.4.3?

Yes.

@vyankyGH vyankyGH deleted the allowing_users_to_skip_policyValidation branch February 18, 2022 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

allowing users to skip policy validation when mutating resources
3 participants
@vyankyGH @chipzoller @realshuting