From 45d8d012a367db603e9f8fac78eccdc46e48bd81 Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Tue, 22 Oct 2024 08:15:40 +0000 Subject: [PATCH] fix[breaking]: disable exceptions by default (#11426) (#11446) * fix[breaking]: disable exceptions by default * fix chainsaw tests * fix: add warning in helm chart for exceptions --------- Signed-off-by: Mariam Fahmy Co-authored-by: Mariam Fahmy --- charts/kyverno/README.md | 4 ++-- charts/kyverno/templates/NOTES.txt | 4 ++++ charts/kyverno/values.yaml | 3 ++- cmd/internal/engine.go | 4 ++++ cmd/internal/flag.go | 4 ++-- config/install-latest-testing.yaml | 6 +++--- pkg/controllers/exceptions/controller.go | 2 +- pkg/validation/exception/validate.go | 5 ++++- pkg/validation/exception/validate_test.go | 4 ++-- scripts/config/dev/kyverno.yaml | 1 + scripts/config/exceptions-disabled/kyverno-policies.yaml | 0 scripts/config/exceptions-disabled/kyverno.yaml | 3 --- scripts/config/standard/kyverno.yaml | 1 + 13 files changed, 26 insertions(+), 15 deletions(-) delete mode 100644 scripts/config/exceptions-disabled/kyverno-policies.yaml delete mode 100644 scripts/config/exceptions-disabled/kyverno.yaml diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index e2bf4002add0..f410358c4e1f 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -347,8 +347,8 @@ The chart values are organised per component. | features.logging.format | string | `"text"` | Logging format | | features.logging.verbosity | int | `2` | Logging verbosity | | features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) | -| features.policyExceptions.enabled | bool | `true` | Enables the feature | -| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace | +| features.policyExceptions.enabled | bool | `false` | Enables the feature | +| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace Set to "*" to allow exceptions in all namespaces | | features.protectManagedResources.enabled | bool | `false` | Enables the feature | | features.registryClient.allowInsecure | bool | `false` | Allow insecure registry | | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers | diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt index c282d5865ce4..4ee09d74f465 100644 --- a/charts/kyverno/templates/NOTES.txt +++ b/charts/kyverno/templates/NOTES.txt @@ -43,4 +43,8 @@ The following components have been installed in your cluster: ⚠️ WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled. {{- end }} +{{ if not .Values.features.policyExceptions.enabled }} +⚠️ WARNING: PolicyExceptions are disabled by default. To enable them, set '--enablePolicyException' to true. +{{- end }} + 💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks. diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 39ac854bae6d..4d918701f886 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -697,8 +697,9 @@ features: # - PolicyError policyExceptions: # -- Enables the feature - enabled: true + enabled: false # -- Restrict policy exceptions to a single namespace + # Set to "*" to allow exceptions in all namespaces namespace: '' protectManagedResources: # -- Enables the feature diff --git a/cmd/internal/engine.go b/cmd/internal/engine.go index e561a69341a0..4745e4c24d47 100644 --- a/cmd/internal/engine.go +++ b/cmd/internal/engine.go @@ -65,6 +65,10 @@ func NewExceptionSelector( if !enablePolicyException { return nil, nil } + if exceptionNamespace == "" { + logger.Error(errors.New("the flag --exceptionNamespace cannot be empty"), "the flag --exceptionNamespace cannot be empty") + return nil, nil + } polexCache := exceptioncontroller.NewController( kyvernoInformer.Kyverno().V1().ClusterPolicies(), kyvernoInformer.Kyverno().V1().Policies(), diff --git a/cmd/internal/flag.go b/cmd/internal/flag.go index ef1129d79dca..751b350bffa2 100644 --- a/cmd/internal/flag.go +++ b/cmd/internal/flag.go @@ -103,8 +103,8 @@ func initKubeconfigFlags(qps float64, burst int, eventsQPS float64, eventsBurst } func initPolicyExceptionsFlags() { - flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions.") - flag.BoolVar(&enablePolicyException, "enablePolicyException", true, "Enable PolicyException feature.") + flag.StringVar(&exceptionNamespace, "exceptionNamespace", "", "Configure the namespace to accept PolicyExceptions. If it is set to '*', exceptions are allowed in all namespaces.") + flag.BoolVar(&enablePolicyException, "enablePolicyException", false, "Enable PolicyException feature.") } func initConfigMapCachingFlags() { diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 7561aa2388fc..0af9f74bebb9 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -51118,7 +51118,7 @@ spec: - --loggingFormat=text - --v=2 - --omitEvents=PolicyApplied,PolicySkipped - - --enablePolicyException=true + - --enablePolicyException=false - --protectManagedResources=false - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github @@ -51274,7 +51274,7 @@ spec: - --loggingFormat=text - --v=2 - --omitEvents=PolicyApplied,PolicySkipped - - --enablePolicyException=true + - --enablePolicyException=false - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate env: @@ -51528,7 +51528,7 @@ spec: - --loggingFormat=text - --v=2 - --omitEvents=PolicyApplied,PolicySkipped - - --enablePolicyException=true + - --enablePolicyException=false - --allowInsecureRegistry=false - --registryCredentialHelpers=default,google,amazon,azure,github - --enableReporting=validate,mutate,mutateExisting,imageVerify,generate diff --git a/pkg/controllers/exceptions/controller.go b/pkg/controllers/exceptions/controller.go index cfd7f2eb88f3..8cab99ff4de9 100644 --- a/pkg/controllers/exceptions/controller.go +++ b/pkg/controllers/exceptions/controller.go @@ -134,7 +134,7 @@ func (c *controller) getPolicy(namespace, name string) (kyvernov1.PolicyInterfac } func (c *controller) listExceptions() ([]*kyvernov2.PolicyException, error) { - if c.namespace == "" { + if c.namespace == "*" { return c.polexLister.List(labels.Everything()) } return c.polexLister.PolicyExceptions(c.namespace).List(labels.Everything()) diff --git a/pkg/validation/exception/validate.go b/pkg/validation/exception/validate.go index f07777499570..2835810bf24a 100644 --- a/pkg/validation/exception/validate.go +++ b/pkg/validation/exception/validate.go @@ -10,6 +10,7 @@ import ( const ( namespacesDontMatch = "PolicyException resource namespace must match the defined namespace." disabledPolex = "PolicyException resources would not be processed until it is enabled." + polexNamespaceFlag = "The exceptionNamespace flag is not set" ) type ValidationOptions struct { @@ -22,7 +23,9 @@ func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2.PolicyEx var warnings []string if !opts.Enabled { warnings = append(warnings, disabledPolex) - } else if opts.Namespace != "" && opts.Namespace != polex.Namespace { + } else if opts.Namespace == "" { + warnings = append(warnings, polexNamespaceFlag) + } else if opts.Namespace != "*" && opts.Namespace != polex.Namespace { warnings = append(warnings, namespacesDontMatch) } errs := polex.Validate() diff --git a/pkg/validation/exception/validate_test.go b/pkg/validation/exception/validate_test.go index a55e85a64c6a..f07074777064 100644 --- a/pkg/validation/exception/validate_test.go +++ b/pkg/validation/exception/validate_test.go @@ -53,11 +53,11 @@ func Test_Validate(t *testing.T) { want: 0, }, { - name: "PolicyExceptions enabled. No namespace defined", + name: "PolicyExceptions enabled. All namespaces are enabled", args: args{ opts: ValidationOptions{ Enabled: true, - Namespace: "", + Namespace: "*", }, resource: []byte(`{"apiVersion":"kyverno.io/v2","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`), }, diff --git a/scripts/config/dev/kyverno.yaml b/scripts/config/dev/kyverno.yaml index 789fa4132263..d769672e87cc 100644 --- a/scripts/config/dev/kyverno.yaml +++ b/scripts/config/dev/kyverno.yaml @@ -4,6 +4,7 @@ grafana: features: policyExceptions: enabled: true + namespace: "*" admissionController: serviceMonitor: diff --git a/scripts/config/exceptions-disabled/kyverno-policies.yaml b/scripts/config/exceptions-disabled/kyverno-policies.yaml deleted file mode 100644 index e69de29bb2d1..000000000000 diff --git a/scripts/config/exceptions-disabled/kyverno.yaml b/scripts/config/exceptions-disabled/kyverno.yaml deleted file mode 100644 index 1e279cc7a18d..000000000000 --- a/scripts/config/exceptions-disabled/kyverno.yaml +++ /dev/null @@ -1,3 +0,0 @@ -features: - policyExceptions: - enabled: false diff --git a/scripts/config/standard/kyverno.yaml b/scripts/config/standard/kyverno.yaml index e8ccdf211c0c..156c20917577 100644 --- a/scripts/config/standard/kyverno.yaml +++ b/scripts/config/standard/kyverno.yaml @@ -1,6 +1,7 @@ features: policyExceptions: enabled: true + namespace: "*" omitEvents: eventTypes: []