UNCLASSIFIED - NO CUI

Skip to content

feat: sets `failurePolicy` to `Ignore` by default for audit policies

Noah Birrer requested to merge 9-ignore-action-in-audit-mode into main

General MR

Summary

When Kyverno policies are configured to validate objects in Audit mode, the controller can still block requests at admission. This can occur when a dependency on an external resource (such as an image registry) is unavailable. This behavior is not ideal as we would prefer that policies in Audit mode do not block any request whatsoever.

The intention of this pull request is to introduce this new behavior for policies that are configured in Audit mode. Any policy set to Audit will automatically have a failurePolicy of Ignore configured by default.

Policies that are not configured in Audit mode are not affected by this change.

Changes:

  • Introduces a helper function for determining enforcement mode
  • Adds a new variable to each applicable policy template file called $failureAction
  • Adds a call to the setFailurePolicy function to determine failurePolicy
    • The function is designed to return no value if the policy is neither Audit nor Warn
    • In the case above, helm will default to fetching the failurePolicy from .Values.failurePolicy as this was the original behavior.

Relevant logs/screenshots

See:

The following yq command can be run against the kyverno-policies helm release for easy config validation:

... | yq '{.metadata.name: {"validationFailureAction": .spec.validationFailureAction, "failurePolicy": .spec.failurePolicy}}'

Relates #9 (closed)

Edited by Noah Birrer

Merge request reports

Loading