Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added support of background-only mode for policies #14

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

sandeshlmore
Copy link

@sandeshlmore sandeshlmore commented Oct 25, 2022

Signed-off-by: Sandesh More [email protected]

Explanation

previouly, a validate or verifyImages rule is required to always be processed in admission review mode. users cannot prevent resources at admission time from showing in policy reports.

This PR adds background-only mode in which policies(validate and VerifyImages) are executed only in background and not at the time of admission.

Related issue

closes: 5074

Milestone of this PR

What type of PR is this

feature

Proposed Changes

  • background-only mode is set by background : true and validationFailureAction : ""
  • background-only mode policies(validate and VerifyImages) are skipped at the time of resource AdmissionReviewRequest.
  • additionally, validate policy for background: false then validationFailureAction must exist with some (audit/enforce).

Proof Manifests

policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels     
spec:
  validationFailureAction: ""
  background: true
  rules:
  - name: check-for-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "The label `app.kubernetes.io/name` is required."
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"
Apply above policy(background only mode)
create resource:
$ kubectl run nginx --image nginx
pod/nginx created
check reports are not generated at the time of admission for the above policy. policy will be executed only during background-scan.

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

Copy link

@shahpratikr shahpratikr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you need to rebase your branch with develop

@@ -48,10 +48,10 @@ type Spec struct {
// ValidationFailureAction defines if a validation policy rule violation should block
// the admission review request (enforce), or allow (audit) the admission review request
// and report an error in a policy report. Optional.
// Allowed values are audit or enforce. The default value is "audit".
// Allowed values are audit or enforce.
// The default value is "" which means policy will be executed in background-only mode.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't we add another value say background or background-only instead of an empty string?

Copy link
Author

@sandeshlmore sandeshlmore Oct 31, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ApsTomar @samkulkarni20 can you suggest what would be better value for ValidationFailureAction to introduce background only mode?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i confirm this with chipzoller. please check upstream issue thread.

@sandeshlmore sandeshlmore marked this pull request as draft November 4, 2022 01:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants