New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use failurePolicy to block or allow requests, on policy errors #4183
Conversation
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Codecov Report
@@ Coverage Diff @@
## main #4183 +/- ##
==========================================
+ Coverage 28.86% 30.66% +1.80%
==========================================
Files 143 146 +3
Lines 19372 19486 +114
==========================================
+ Hits 5591 5976 +385
+ Misses 13100 12778 -322
- Partials 681 732 +51
Help us with your feedback. Take ten seconds to tell us how you rate us. |
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This is a behavioral change and will need to be documented. |
|
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@prateekpandey14 - can you help review? |
All e2e tests failed, looks like it cannot build the test image:
@JimBugwadia - can you please resolve conflicts and re-run tests? |
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
@JimBugwadia some more conflicts to resolve after latest merge to main. |
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
…/kyverno into apply_failure_policy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Signed-off-by: Jim Bugwadia jim@nirmata.com
Explanation
Before this PR, if
failurePolicy
was set toIgnore
it only meant that Kyverno could be skipped if a call back couldn't be made. After this PR,Ignore
will additionally allow failing calls to image registries to be skipped over and the rule to be evaluated. This allows for rules like verifyImages or others which use image data to not block if the registry is temporarily down, useful in situations where images already exist on the nodes.Related issue
Fixes #4168
Milestone of this PR
1.8.0
What type of PR is this
/kind cleanup
Proposed Changes
Use
failurePolicy
to determine if a rule error should result in admission requests being blocked.If the
failurePolicy
isIgnore
and a policy rule results in an error, then the admission request is allowed. If thefailurePolicy
isFail
and a policy rule results in an error, the admission request is blocked.The
validationFailureAction
behavior stays the same. It controls the behavior for a policy violation (the status for the policy rule isfail
, which may be a bit confusing).Proof Manifests
added unit tests
From the CLI, test using this policy with
failureMode: ignore
:Run this command, after disconnecting from the network:
Run this command, after connecting back to the network:
When a network error is received, the
failureMode
will be checked to return a policy error and warnings messages, instead of blocking the admission request.Checklist
Further Comments