Setting validationFailureAction to enforce is going to enforce it for every Policy #601
Conversation
|
but can we merge PR https://github.com/nirmata/kyverno/pull/594 and https://github.com/nirmata/kyverno/pull/587 first. As it uses reporting of PV in generate rules and will require changes to fix this PR. |
|
Question 1: Question 2: Each package should process If you notice the package history, this dependency was intentionally removed(this discussion has been done before). But this PR adds the dependency again. Please revert the corresponding changes. |
There was a problem hiding this comment.
Question 1:
Why are we removing the logic of owners while building violations?
Question 2:
Why does policyviolation package need to know engine.EngineResponse, this package dependency is not needed.
Each package should process engineResponse individually and then reports PV.
If you notice the package history, this dependency was intentionally removed(this discussion has been done before). But this PR adds the dependency again.
Please revert the corresponding changes.
|
@shivdudhani Q2: If you notice, we create pvInfo in multiple components, with the change above, each of the function would have the same API, same logic. So it's better to use generic code to create this info instead of having it everywhere.
|
|
Response to Q1: the whole idea of adding OwnerRef was to support any resources not just pod-controllers, as then we can report and this is how the feature was specified. With this we only support pod-controllers, so this will mean we are removing a feature. If this is the case, we can mention we have removed a feature. Response to Q2: Yes, but it introduces package dependency and it was refactored to handle this. Generic code, it makes code easy but at the cost of increasing dependency. If the history of the package is looked at, it was refactored specifically for it. I'm not in favor of writing code that easy to write at the cost of code maintainability. The idea of policy violation is independent of a policy engine. We have had discussions to define standard design PV for any policy engine. But this adds the dependency. |
|
Q1: Let's move the discussion to the issue, it's easier to track. |
|
PolicyViolation and EngineReponse are different resources, they don't need a direct dependency. You can define an interface that others implement to perform the conversion, but this again adds the dependency between the packages as the interface has to be defined in pkg engine or policy violation. |
|
@realshuting |
I'm not following, do you mean to keep the changes in PR or revert it back to the old way? |
|
@realshuting whichever is easier for you, if we have time to refactor and also complete the pending issues for release v1.1.0 then that's great. If not I would suggest prioritizing the issues then the refactoring. |
|
@realshuting as per the discussion the above behavior would change. Can you update this PR to include the reporting of PV if variable path is not found? |
|
Can use interface If a path is not found a response will be |
|
Merge to generate the release. If anything changes, would push a patch for that. |
There was a problem hiding this comment.
Overall:
-
some previous comments not addresed. (package dependency between
policyvioltaionpkg andengine. -
Curious to know y we adding a new field just for this check. As other checks use ruleResponse failure. It seems inconsistent to add a field and helper functions just for this check.
-
the check is performed before the resource is matched.
-
Some minor checks
| glog.V(4).Infof("failed to unmarshall context") | ||
| return emptyResult, err | ||
| glog.V(4).Infof("failed to unmarshall context: %v", err) | ||
| return emptyResult, fmt.Errorf("failed to unmarshall context: %v", err) |
| var tempRule kyverno.Rule | ||
| var tempRulePattern interface{} | ||
|
|
||
| tempRule.MatchResources = rule.MatchResources |
There was a problem hiding this comment.
y use the tempRule variable here ?
As it as a copy of a copy of rule.
There was a problem hiding this comment.
If you see the description of this function, it validates the general ruleInfo: matchedResource, excludeResource and condition, not a specific rule, so it extracts the general rule info as a copy.
| @@ -55,6 +61,13 @@ func filterRules(policy kyverno.ClusterPolicy, resource unstructured.Unstructure | |||
| } | |||
|
|
|||
| for _, rule := range policy.Spec.Rules { | |||
| if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 { | |||
There was a problem hiding this comment.
Y is this not placed inside filterRule function ? as this is being processed per rule and we already have a function filterRule which already has checks per rule.
| @@ -55,6 +57,13 @@ func Mutate(policyContext PolicyContext) (resp response.EngineResponse) { | |||
| continue | |||
| } | |||
|
|
|||
| if paths := validateGeneralRuleInfoVariables(ctx, rule); len(paths) != 0 { | |||
There was a problem hiding this comment.
Shouldnt this check be after MatchesResourceDescription ? Now the variables are checked even if the resource does not statify the resource match/exclude block
There was a problem hiding this comment.
Potentially the user could substitute the variable in match/exclude block, especially for userInfo, so the check performs before MatchesResourceDescription.
| @@ -65,6 +65,8 @@ type RuleResponse struct { | |||
| Success bool `json:"success"` | |||
| // statistics | |||
| RuleStats `json:",inline"` | |||
| // PathNotPresent indicates whether referenced path in variable substitution exist | |||
| PathNotPresent bool `json:"pathNotPresent"` | |||
There was a problem hiding this comment.
Curious why we introducing a check for a path not present, as this could rule that failed with an error message.
So now for some errors, we have rule failure and message, and some new field added to a struct. (seems inconsistent design)
There was a problem hiding this comment.
From my understanding,
- a rule failure refers to a rule application failure, while the path not present is much more a policy definition error
- since later we will have policy error reported as new CRD, it's more clear to have that 2 logic decoupled for the change.
| @@ -7,6 +7,13 @@ import ( | |||
| "github.com/nirmata/kyverno/pkg/engine/operator" | |||
| ) | |||
|
|
|||
| type ValidationFailureReason int | |||
There was a problem hiding this comment.
In reference to some previous comments, a new type is introduced but this doesn't really add much value.
As the enum is not PathNotFound and the other value is RuleFailure(which is already default behavior if the rule has failed).
| ) | ||
|
|
||
| func GeneratePVsFromEngineResponse(ers []response.EngineResponse) (pvInfos []Info) { |
There was a problem hiding this comment.
As discussed before, the policyviolation package is now dependent on engine (engine/response).
I believe the conclusion was to decouple the packages.
| continue | ||
| } | ||
| // skip when response succeed AND referenced paths exist | ||
| if er.IsSuccesful() && !er.IsPathNotPresent() { |
There was a problem hiding this comment.
In reference to some above comments, the pathNotPresent is engineResponse error instead of adding a new filed and check specifically for it.
As this is one of the multiple check-in policy, others use a common field rule failure, which for this field we add a new field and new error checks.
There was a problem hiding this comment.
Again, as we gonna report pathNotPresent as the policy error, it would be helpful to decouple this type of error from violation.
| return info | ||
| } | ||
|
|
||
| func buildViolatedRules(er response.EngineResponse) []kyverno.ViolatedRule { |
There was a problem hiding this comment.
Same as the above comments adds package dependency.
This PR fixes
As we remove violations reported on resource owner, Policy violation on resource creation #535 is no longer applicable.