Skip to content

Commit

Permalink
fix(kubewarden-defaults): set failurePolicy: Ignore if mode == "mon…
Browse files Browse the repository at this point in the history 
…itor" (#553)

Signed-off-by: Michael Malet <[email protected]>
  • Loading branch information
@Malet
Malet authored Oct 2, 2024
1 parent 79a6945 commit e32aa5e
Show file tree
Hide file tree
Showing 8 changed files with 39 additions and 0 deletions.
8 changes: 8 additions & 0 deletions charts/kubewarden-defaults/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,11 @@ namespaceSelector:
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}

{{- define "policy_failure_policy" -}}
{{- if eq .Values.recommendedPolicies.defaultPolicyMode "protect" -}}
Fail
{{- else -}}
Ignore
{{- end -}}
{{- end -}}
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
Expand Down
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/capabilities-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.capabilitiesPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
Expand Down
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/host-namespace-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.hostNamespacePolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
Expand Down
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/host-path-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.hostPathsPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
Expand Down
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/pod-privileged-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }}

{{ include "policy-namespace-selector" . | indent 2}}
Expand Down
1 change: 1 addition & 0 deletions charts/kubewarden-defaults/templates/user-group-policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ metadata:
name: {{ $.Values.recommendedPolicies.userGroupPolicy.name }}
spec:
mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }}
failurePolicy: {{ template "policy_failure_policy" . }}
module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }}
{{ include "policy-namespace-selector" . | indent 2}}
rules:
Expand Down
25 changes: 25 additions & 0 deletions charts/kubewarden-defaults/tests/failure_policy_test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
suite: set failurePolicy based upon mode
templates:
- allow-privileged-escalation-policy.yaml
- capabilities-policy.yaml
- host-namespace-policy.yaml
- host-path-policy.yaml
- pod-privileged-policy.yaml
- user-group-policy.yaml
tests:
- it: "should ignore on webhook failures if in monitor mode"
set:
recommendedPolicies.enabled: true
recommendedPolicies.defaultPolicyMode: "monitor"
asserts:
- equal:
path: spec.failurePolicy
value: Ignore
- it: "should reject on webhook failures if in protect mode"
set:
recommendedPolicies.enabled: true
recommendedPolicies.defaultPolicyMode: "protect"
asserts:
- equal:
path: spec.failurePolicy
value: Fail

0 comments on commit e32aa5e

Please sign in to comment.