-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting validationFailureAction to enforce is going to enforce it for every Policy #601
Conversation
but can we merge PR https://github.com/nirmata/kyverno/pull/594 and https://github.com/nirmata/kyverno/pull/587 first. As it uses reporting of PV in generate rules and will require changes to fix this PR. |
Question 1: Question 2: Each package should process If you notice the package history, this dependency was intentionally removed(this discussion has been done before). But this PR adds the dependency again. Please revert the corresponding changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question 1:
Why are we removing the logic of owners while building violations?
Question 2:
Why does policyviolation package need to know engine.EngineResponse, this package dependency is not needed.
Each package should process engineResponse individually and then reports PV.
If you notice the package history, this dependency was intentionally removed(this discussion has been done before). But this PR adds the dependency again.
Please revert the corresponding changes.
@shivdudhani Q2: If you notice, we create pvInfo in multiple components, with the change above, each of the function would have the same API, same logic. So it's better to use generic code to create this info instead of having it everywhere.
|
Response to Q1: the whole idea of adding OwnerRef was to support any resources not just pod-controllers, as then we can report and this is how the feature was specified. With this we only support pod-controllers, so this will mean we are removing a feature. If this is the case, we can mention we have removed a feature. Response to Q2: Yes, but it introduces package dependency and it was refactored to handle this. Generic code, it makes code easy but at the cost of increasing dependency. If the history of the package is looked at, it was refactored specifically for it. I'm not in favor of writing code that easy to write at the cost of code maintainability. The idea of policy violation is independent of a policy engine. We have had discussions to define standard design PV for any policy engine. But this adds the dependency. |
Q1: Let's move the discussion to the issue, it's easier to track. |
PolicyViolation and EngineReponse are different resources, they don't need a direct dependency. You can define an interface that others implement to perform the conversion, but this again adds the dependency between the packages as the interface has to be defined in pkg engine or policy violation. |
@realshuting |
I'm not following, do you mean to keep the changes in PR or revert it back to the old way? |
@realshuting whichever is easier for you, if we have time to refactor and also complete the pending issues for release v1.1.0 then that's great. If not I would suggest prioritizing the issues then the refactoring. |
@realshuting as per the discussion the above behavior would change. Can you update this PR to include the reporting of PV if variable path is not found? |
Can use interface If a path is not found a response will be |
Merge to generate the release. If anything changes, would push a patch for that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall:
-
some previous comments not addresed. (package dependency between
policyvioltaion
pkg andengine
. -
Curious to know y we adding a new field just for this check. As other checks use ruleResponse failure. It seems inconsistent to add a field and helper functions just for this check.
-
the check is performed before the resource is matched.
-
Some minor checks
glog.V(4).Infof("failed to unmarshall context") | ||
return emptyResult, err | ||
glog.V(4).Infof("failed to unmarshall context: %v", err) | ||
return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
spelling unmarshal
var tempRule kyverno.Rule | ||
var tempRulePattern interface{} | ||
|
||
tempRule.MatchResources = rule.MatchResources |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
y use the tempRule
variable here ?
As it as a copy of a copy of rule
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you see the description of this function, it validates the general ruleInfo: matchedResource, excludeResource and condition, not a specific rule, so it extracts the general rule info as a copy.
@@ -55,6 +61,13 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure | |||
} | |||
|
|||
for _, rule := range policy.Spec.Rules { | |||
if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Y is this not placed inside filterRule
function ? as this is being processed per rule and we already have a function filterRule
which already has checks per rule.
@@ -55,6 +57,13 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { | |||
continue | |||
} | |||
|
|||
if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldnt this check be after MatchesResourceDescription
? Now the variables are checked even if the resource does not statify the resource match/exclude block
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Potentially the user could substitute the variable in match/exclude block, especially for userInfo
, so the check performs before MatchesResourceDescription.
@@ -65,6 +65,8 @@ type RuleResponse struct { | |||
Success bool `json:"success"` | |||
// statistics | |||
RuleStats `json:",inline"` | |||
// PathNotPresent indicates whether referenced path in variable substitution exist | |||
PathNotPresent bool `json:"pathNotPresent"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious why we introducing a check for a path not present, as this could rule that failed with an error message.
So now for some errors, we have rule failure and message, and some new field added to a struct. (seems inconsistent design)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my understanding,
- a rule failure refers to a rule application failure, while the path not present is much more a policy definition error
- since later we will have policy error reported as new CRD, it's more clear to have that 2 logic decoupled for the change.
@@ -7,6 +7,13 @@ import ( | |||
"github.com/nirmata/kyverno/pkg/engine/operator" | |||
) | |||
|
|||
type ValidationFailureReason int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In reference to some previous comments, a new type is introduced but this doesn't really add much value.
As the enum is not PathNotFound
and the other value is RuleFailure
(which is already default behavior if the rule has failed).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See above.
) | ||
|
||
func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed before, the policyviolation
package is now dependent on engine
(engine/response).
I believe the conclusion was to decouple the packages.
continue | ||
} | ||
// skip when response succeed AND referenced paths exist | ||
if er.IsSuccesful() && !er.IsPathNotPresent() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In reference to some above comments, the pathNotPresent is engineResponse error instead of adding a new filed and check specifically for it.
As this is one of the multiple check-in policy, others use a common field rule failure, which for this field we add a new field and new error checks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, as we gonna report pathNotPresent as the policy error, it would be helpful to decouple this type of error from violation.
return info | ||
} | ||
|
||
func buildViolatedRules(er response.EngineResponse) []kyverno.ViolatedRule { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same as the above comments adds package dependency.
This PR fixes
As we remove violations reported on resource owner, Policy violation on resource creation #535 is no longer applicable.