Resolve "Missing `autogen` rules result in false positives"
General MR
Summary
Deployments pass initial validation upon admission despite downstream objects (pods created by controllers) containing violations.
Adding Deployment,ReplicaSet,DaemonSet,StatefulSet
as a default for autogenControllers
stop the false postive behavior of passing the validation even though their are violations down stream.
Relevant logs/screenshots
after autogen rules
[*] Enabling policy require-drop-all-capabilities...
[*] Running dry-run apply of package neuvector...
[*] Violations for neuvector logged to ./neuvector-require-drop-all-capabilities-violations
Error from server: error when creating "STDIN": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Deployment/default/neuvector-controller-pod was blocked due to the following policies
require-drop-all-capabilities:
autogen-drop-all-capabilities: 'validation failure: Containers must drop all Linux
capabilities by setting the fields spec.containers[*].securityContext.capabilities.drop,
spec.initContainers[*].securityContext.capabilities.drop, and spec.ephemeralContainers[*].securityContext.capabilities.drop
to `ALL`.'
Linked Issue
Upgrade Notices
N/A
For #112 (closed)
Edited by Michael Martin