-
Notifications
You must be signed in to change notification settings - Fork 776
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
adding --audit-warn flag #5321
adding --audit-warn flag #5321
Conversation
Thanks for opening your first Pull Request here! Please check out our Contributing guidelines and confirm that you Signed off. |
d3c82f2
to
a644b42
Compare
Steven, thank you for this contribution and extra THANK YOU for the docs! We appreciate your efforts here. |
Codecov Report
@@ Coverage Diff @@
## main #5321 +/- ##
==========================================
- Coverage 36.29% 36.27% -0.03%
==========================================
Files 171 171
Lines 19076 19091 +15
==========================================
+ Hits 6924 6925 +1
- Misses 11360 11370 +10
- Partials 792 796 +4
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Signed-off-by: Steven Lahouchuc <stelah1423@gmail.com>
a644b42
to
e684018
Compare
Explanation
This PR implements a feature requested in #4375.
Related issue
Closes #4375
Milestone of this PR
What type of PR is this
feature
Proposed Changes
This PR will add a new flag of
--audit-warn
to thekyverno apply
CLI subcommand. This is intended to treat any policies that are set toaudit
to NOT exit with a non-zero code, and be counted as a warning instead. In other words, if the policy is set to audit, and --warn-audit is set, it would exit 0 if audit policies matched. If enforcing policies are matched, it would exit 1.This is very similar to the
policies.kyverno.io/scored
annotation that can treat an audited policy as a warning instead of a failure, but with some extra benefits from the CLI tool. This flag does take into account thevalidationFailureActionOverrides
spec for a resource, whereas the annotation does not (as far as I know).In this implementation, I also propose having
kyverno apply
still report the audit policy to stdout when--policy-report
is not set, similar to a failure, but with a slightly different message stating this was an audit warning. I am proposing this since this tool is commonly used in ci/cd pipelines, and still having the verbosity around the audit findings would prove useful. In contrary, when using thescored
annotation withkyverno apply
, it does NOT report this finding to stdout, but would still exit with 0. I find that not necessarily useful. Perhaps this should be an additional flag to report these warnings, but I would have to defer that decision to you fine folks.To recap:
When
--audit-warn
is set:--policy-report
is not set (default return value), we also print a message to stdout that the audit warning was logged as wellExample output
This output utilizes
validationFailureActionOverrides
for the namespacedefault1
toaudit
instead ofenforce
. You can see the output is slightly different for audit failures. I'm wide open to changing the verbiage around these messages.Proof Manifests
Create echo-test.yaml
Create disallow-latest-tag.yaml
Run kyverno apply
I have tested this with/without a combination of
validationFailureActionOverrides
rules in the policy, as well as with/without--policy-report
set. I may be overlooking some other functionality to test; please let me know.Checklist
Further Comments