use failurePolicy to block or allow requests, on policy errors

api/kyverno/v1/image_verification_types.go

@@ -344,25 +344,28 @@ func (iv *ImageVerification) Convert() *ImageVerification {
 		copy.ImageReferences = append(copy.ImageReferences, iv.Image)
 	}
 
-	attestor := Attestor{
-		Annotations: iv.Annotations,
-	}
-
-	if iv.Key != "" {
-		attestor.Keys = &StaticKeyAttestor{
-			PublicKeys: iv.Key,
+	attestorSet := AttestorSet{}
+	if len(iv.Annotations) > 0 || iv.Key != "" || iv.Issuer != "" {
+		attestor := Attestor{
+			Annotations: iv.Annotations,
 		}
-	} else if iv.Issuer != "" {
-		attestor.Keyless = &KeylessAttestor{
-			Issuer:  iv.Issuer,
-			Subject: iv.Subject,
-			Roots:   iv.Roots,
+
+		if iv.Key != "" {
+			attestor.Keys = &StaticKeyAttestor{
+				PublicKeys: iv.Key,
+			}
+		} else if iv.Issuer != "" {
+			attestor.Keyless = &KeylessAttestor{
+				Issuer:  iv.Issuer,
+				Subject: iv.Subject,
+				Roots:   iv.Roots,
+			}
 		}
+
+		attestorSet.Entries = append(attestorSet.Entries, attestor)
+		copy.Attestors = append(copy.Attestors, attestorSet)
 	}
 
-	attestorSet := AttestorSet{}
-	attestorSet.Entries = append(attestorSet.Entries, attestor)
-	copy.Attestors = append(copy.Attestors, attestorSet)
 	copy.Attestations = iv.Attestations
 	return copy
 }

api/kyverno/v1/spec_types.go

@@ -37,15 +37,16 @@ type Spec struct {
 	// +optional
 	ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
 
-	// FailurePolicy defines how unrecognized errors from the admission endpoint are handled.
+	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
 	// Rules within the same policy share the same failure behavior.
 	// Allowed values are Ignore or Fail. Defaults to Fail.
 	// +optional
 	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
 
-	// ValidationFailureAction controls if a validation policy rule failure should disallow
+	// ValidationFailureAction defines if a validation policy rule violation should block
 	// the admission review request (enforce), or allow (audit) the admission review request
-	// and report an error in a policy report. Optional. The default value is "audit".
+	// and report an error in a policy report. Optional.
+	// Allowed values are audit or enforce. The default value is "audit".
 	// +optional
 	// +kubebuilder:validation:Enum=audit;enforce
 	ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`

charts/kyverno/templates/crds.yaml

@@ -65,7 +65,7 @@ spec:
                 description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
+                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -1549,7 +1549,7 @@ spec:
                 description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
+                description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit".
                 enum:
                 - audit
                 - enforce
@@ -3890,7 +3890,7 @@ spec:
                 description: Background controls if rules are applied to existing resources during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the admission endpoint are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
+                description: FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. Allowed values are Ignore or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -5374,7 +5374,7 @@ spec:
                 description: SchemaValidation skips policy validation checks. Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy rule failure should disallow the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. The default value is "audit".
+                description: ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is "audit".
                 enum:
                 - audit
                 - enforce

cmd/cli/kubectl-kyverno/main.go

@@ -38,10 +38,15 @@ func main() {
 }
 
 func configurelog(cli *cobra.Command) {
+	// clear flags initialized in static dependencies
+	if flag.CommandLine.Lookup("log_dir") != nil {
+		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	}
+
 	klog.InitFlags(nil)
+	cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
 	log.SetLogger(klogr.New())
 
-	cli.PersistentFlags().AddGoFlagSet(flag.CommandLine)
 	_ = cli.PersistentFlags().MarkHidden("alsologtostderr")
 	_ = cli.PersistentFlags().MarkHidden("logtostderr")
 	_ = cli.PersistentFlags().MarkHidden("log_dir")

cmd/cli/kubectl-kyverno/utils/common/common.go

@@ -1035,7 +1035,7 @@ func GetResourceFromPath(fs billy.Filesystem, path string, isGit bool, policyRes
 
 // initializeMockController initializes a basic Generate Controller with a fake dynamic client.
 func initializeMockController(objects []runtime.Object) (*generate.GenerateController, error) {
-	client, err := dclient.NewMockClient(runtime.NewScheme(), nil, objects...)
+	client, err := dclient.NewFakeClient(runtime.NewScheme(), nil, objects...)
 	if err != nil {
 		fmt.Printf("Failed to mock dynamic client")
 		return nil, err

cmd/initContainer/main.go

@@ -15,12 +15,12 @@ import (
 	kyvernoclient "github.com/kyverno/kyverno/pkg/client/clientset/versioned"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/dclient"
-	engineUtils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
 	"github.com/kyverno/kyverno/pkg/policyreport"
 	"github.com/kyverno/kyverno/pkg/signal"
 	"github.com/kyverno/kyverno/pkg/tls"
 	"github.com/kyverno/kyverno/pkg/utils"
+	"go.uber.org/multierr"
 	admissionv1 "k8s.io/api/admission/v1"
 	coordinationv1 "k8s.io/api/coordination/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -58,9 +58,13 @@ const (
 )
 
 func main() {
-	klog.InitFlags(nil)
-	log.SetLogger(klogr.New().WithCallDepth(1))
-	// arguments
+	// clear flags initialized in static dependencies
+	if flag.CommandLine.Lookup("log_dir") != nil {
+		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	}
+
+	klog.InitFlags(nil) // add the block above before invoking klog.InitFlags()
+	log.SetLogger(klogr.New())
 	flag.Float64Var(&clientRateLimitQPS, "clientRateLimitQPS", 0, "Configure the maximum QPS to the Kubernetes API server from Kyverno. Uses the client default if zero.")
 	flag.IntVar(&clientRateLimitBurst, "clientRateLimitBurst", 0, "Configure the maximum burst for throttle. Uses the client default if zero.")
 	if err := flag.Set("v", "2"); err != nil {
@@ -500,6 +504,6 @@ func convertGR(pclient kyvernoclient.Interface) error {
 		}
 	}
 
-	err = engineUtils.CombineErrors(errors)
+	err = multierr.Combine(errors...)
 	return err
 }

cmd/kyverno/main.go

@@ -82,8 +82,13 @@ var (
 )
 
 func main() {
+	// clear flags initialized in static dependencies
+	if flag.CommandLine.Lookup("log_dir") != nil {
+		flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
+	}
+
 	klog.InitFlags(nil)
-	log.SetLogger(klogr.New().WithCallDepth(1))
+	log.SetLogger(klogr.New())
 	flag.IntVar(&webhookTimeout, "webhookTimeout", int(webhookconfig.DefaultWebhookTimeout), "Timeout for webhook configurations.")
 	flag.IntVar(&genWorkers, "genWorkers", 10, "Workers for generate controller.")
 	flag.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")

config/crds/kyverno.io_clusterpolicies.yaml

@@ -70,10 +70,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -2466,10 +2466,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce

config/crds/kyverno.io_policies.yaml

@@ -71,10 +71,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -2467,10 +2467,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce

config/install.yaml

@@ -87,10 +87,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -2483,10 +2483,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce
@@ -6078,10 +6079,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -8474,10 +8475,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce

config/install_debug.yaml

@@ -85,10 +85,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -2481,10 +2481,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce
@@ -6072,10 +6073,10 @@ spec:
                   name).
                 type: boolean
               failurePolicy:
-                description: FailurePolicy defines how unrecognized errors from the
-                  admission endpoint are handled. Rules within the same policy share
-                  the same failure behavior. Allowed values are Ignore or Fail. Defaults
-                  to Fail.
+                description: FailurePolicy defines how unexpected policy errors and
+                  webhook response timeout errors are handled. Rules within the same
+                  policy share the same failure behavior. Allowed values are Ignore
+                  or Fail. Defaults to Fail.
                 enum:
                 - Ignore
                 - Fail
@@ -8468,10 +8469,11 @@ spec:
                   disable the validation checks.
                 type: boolean
               validationFailureAction:
-                description: ValidationFailureAction controls if a validation policy
-                  rule failure should disallow the admission review request (enforce),
+                description: ValidationFailureAction defines if a validation policy
+                  rule violation should block the admission review request (enforce),
                   or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. The default value is "audit".
+                  in a policy report. Optional. Allowed values are audit or enforce.
+                  The default value is "audit".
                 enum:
                 - audit
                 - enforce