Skip to content

[Feature] Ability to identify the failing deny condition in a validation rule #3716

New issue
New issue
Closed
#7204
Closed
[Feature] Ability to identify the failing deny condition in a validation rule#3716
#7204
Assignees
JimBugwadia
Labels
enhancementNew feature or request
Milestone
Kyverno Release 1.10.0
@dkulchinsky

Description

@dkulchinsky
dkulchinsky
opened on Apr 28, 2022

Problem Statement

When writing a validation rule with multiple deny conditions the reported message, event and kyverno log just specify the policy & rule that failed, however if there are multiple conditions denied it's difficult to identify which one was violated.

It would be great if the logs and the events/messages emitted would identify the actual condition that was violated making it clear exactly why the request was denied.

Solution Description

I think several think would help here:

  1. In Kyverno log specify which condition triggered the validation failure
  2. @JimBugwadia suggest adding a name and/or a message attribute to the conditions, so these could then be bubbled up to the log and event
  3. if the name attribute was not defined for a condition, at least specify its index number, so we can lookup the condition from the policy definition

Alternatives

No response

Additional Context

No response

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1651084951501299

Research

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions