Skip to content

fix: block mutation only when failurePolicy is set to fail #8952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Nov 22, 2023
Merged

fix: block mutation only when failurePolicy is set to fail #8952

merged 11 commits into from
Nov 22, 2023

Conversation

vishal-chdhry
Copy link
Member

@vishal-chdhry vishal-chdhry commented Nov 19, 2023
edited
Loading

Explanation

Mutation policies should not fail when failurePolicy is set to Ignore. This behaviour was working in 1.10.x because of this bug that was fixed in 1.11.0 (The issue there was that nil caused API Calls to not fail in any case and errors from API Call is not returned).

In 1.11, failurePolicy: Ignore still causes failure as we are not checking for its value in mutation webhooks

Related issue

Closes: #8936

Milestone of this PR

/milestone 1.11.1

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-404-api-call
spec:
  failurePolicy: Ignore
  rules:
  - name: mutate-404-api-call
    context:
    - name: val
      apiCall:
        urlPath: "https://www.google.com/404"
    match:
      any:
      - resources:
          kinds:
          - Pod
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            foo: "{{ val }}"
---
apiVersion: v1
kind: Pod
metadata:
  name: mutate-404-api-call-example
  namespace: default
spec:
  containers:
  - name: example
    image: busybox
    args: ["sleep", "infinity"]

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is release 1.11.1.
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.
    • I have added or changed the documentation myself in an existing PR and the link is:
    • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

@vishal-chdhry
fix: only block mutation when failurePolicy is set
69136e5 
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry
feat: kuttl test
7e74e78 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry vishal-chdhry added this to the Kyverno Release 1.11.1 milestone Nov 19, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 19, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (058c162) 33.60% compared to head (6aeca12) 33.60%.
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #8952   +/-   ##
=======================================
  Coverage   33.60%   33.60%           
=======================================
  Files         315      315           
  Lines       24953    24953           
=======================================
  Hits         8386     8386           
  Misses      15769    15769           
  Partials      798      798

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@vishal-chdhry
fix: add else check
74001b8 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry
fix: update defaulting ns label policy's failure policy to be fail
3b7bd0d 
based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry
Copy link
Member Author

Reason for unrelated change 3b7bd0d:
Based on the readme, this test has nothing to do with failurePolicy and the resource should not be blocked in case of Ignore failurePolicy

vishal-chdhry and others added 4 commits November 19, 2023 16:45
@vishal-chdhry
fix: there is another
0948130 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry
fix: update policy
664122d 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@vishal-chdhry
nit
513024f 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@realshuting
Merge branch 'main' into mutation-failure-policies
1d2cd5f
realshuting
realshuting reviewed Nov 20, 2023
View reviewed changes
vishal-chdhry and others added 2 commits November 22, 2023 19:42
@vishal-chdhry
feat: add logs
508ee6c 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
@realshuting
Merge branch 'main' into mutation-failure-policies
14ae4b7
realshuting
realshuting reviewed Nov 22, 2023
View reviewed changes
@realshuting
Update pkg/webhooks/resource/mutation/mutation.go
6aeca12 
Signed-off-by: shuting <shuting@nirmata.com>
@realshuting realshuting enabled auto-merge (squash) November 22, 2023 16:23
@realshuting
Copy link
Member

/cherry-pick release-1.11

@realshuting realshuting merged commit c630f17 into kyverno:main Nov 22, 2023
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Nov 22, 2023
@vishal-chdhry @realshuting
fix: block mutation only when failurePolicy is set to fail (#8952)
3b7e914 
* fix: only block mutation when failurePolicy is set
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: kuttl test

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add else check

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: there is another

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update policy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* nit

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add logs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting <shuting@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Nov 22, 2023
Merged
@realshuting realshuting added the cherry-pick-completed The PR was cherry-picked (or merged) to required release branches label Nov 22, 2023
realshuting added a commit that referenced this pull request Nov 22, 2023
@gcp-cherry-pick-bot @vishal-chdhry @realshuting
fix: block mutation only when failurePolicy is set to fail (#8952) (#…
53fa22b 
…8986)

* fix: only block mutation when failurePolicy is set
to fail



* feat: kuttl test



* fix: add else check



* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy



* fix: there is another



* fix: update policy



* nit



* feat: add logs



* Update pkg/webhooks/resource/mutation/mutation.go



---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
vishal-chdhry added a commit to vishal-chdhry/kyverno that referenced this pull request Jan 5, 2024
@vishal-chdhry @realshuting
fix: block mutation only when failurePolicy is set to fail (kyverno#8952
036cdf5 
)

* fix: only block mutation when failurePolicy is set
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: kuttl test

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add else check

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: there is another

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update policy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* nit

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add logs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting <shuting@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
vishal-chdhry added a commit to vishal-chdhry/kyverno that referenced this pull request Jan 5, 2024
@vishal-chdhry @realshuting
fix: block mutation only when failurePolicy is set to fail (kyverno#8952
4a685e5 
)

* fix: only block mutation when failurePolicy is set
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: kuttl test

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add else check

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: there is another

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update policy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* nit

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add logs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting <shuting@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
vishal-chdhry added a commit to vishal-chdhry/kyverno that referenced this pull request Jan 6, 2024
@vishal-chdhry @realshuting
fix: block mutation only when failurePolicy is set to fail (kyverno#8952
b790f67 
)

* fix: only block mutation when failurePolicy is set
to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: kuttl test

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add else check

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update defaulting ns label policy's failure policy to be fail

based on readme, this test has nothing to do with failurePolicy and resource should not be blocked in case of ignore failurePolicy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: there is another

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: update policy

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* nit

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add logs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update pkg/webhooks/resource/mutation/mutation.go

Signed-off-by: shuting <shuting@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

@chipzoller chipzoller Awaiting requested review from chipzoller

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@MariamFahmy98 MariamFahmy98 Awaiting requested review from MariamFahmy98 MariamFahmy98 is a code owner

@MarcelMue MarcelMue Awaiting requested review from MarcelMue

Assignees
No one assigned
Labels
cherry-pick-completed The PR was cherry-picked (or merged) to required release branches cherry-pick-required milestone 1.12.0
Projects
None yet
Milestone
Kyverno Release 1.11.1
Development

Successfully merging this pull request may close these issues.

[Bug] failurePolicy: Ignore stoped working as intended
2 participants
@vishal-chdhry @realshuting