-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
added support of background-only mode for policies #14
base: develop
Are you sure you want to change the base?
Conversation
Signed-off-by: Sandesh More <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you need to rebase your branch with develop
@@ -48,10 +48,10 @@ type Spec struct { | |||
// ValidationFailureAction defines if a validation policy rule violation should block | |||
// the admission review request (enforce), or allow (audit) the admission review request | |||
// and report an error in a policy report. Optional. | |||
// Allowed values are audit or enforce. The default value is "audit". | |||
// Allowed values are audit or enforce. | |||
// The default value is "" which means policy will be executed in background-only mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we add another value say background
or background-only
instead of an empty string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ApsTomar @samkulkarni20 can you suggest what would be better value for ValidationFailureAction
to introduce background only mode?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i confirm this with chipzoller. please check upstream issue thread.
Signed-off-by: Sandesh More [email protected]
Explanation
previouly, a validate or verifyImages rule is required to always be processed in admission review mode. users cannot prevent resources at admission time from showing in policy reports.
This PR adds background-only mode in which policies(validate and VerifyImages) are executed only in background and not at the time of admission.
Related issue
closes: 5074
Milestone of this PR
What type of PR is this
feature
Proposed Changes
background : true
andvalidationFailureAction : ""
background: false
thenvalidationFailureAction
must exist with some (audit/enforce).Proof Manifests
policy:
Apply above policy(background only mode)
create resource:
check reports are not generated at the time of admission for the above policy. policy will be executed only during background-scan.
Checklist
Further Comments