diff --git a/charts/kubewarden-defaults/templates/_helpers.tpl b/charts/kubewarden-defaults/templates/_helpers.tpl index 197fb4e7..fc0aea2e 100644 --- a/charts/kubewarden-defaults/templates/_helpers.tpl +++ b/charts/kubewarden-defaults/templates/_helpers.tpl @@ -76,3 +76,11 @@ namespaceSelector: {{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} {{- end -}} {{- end -}} + +{{- define "policy_failure_policy" -}} +{{- if eq .Values.recommendedPolicies.defaultPolicyMode "protect" -}} +Fail +{{- else -}} +Ignore +{{- end -}} +{{- end -}} diff --git a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml b/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml index e293a946..16d84425 100644 --- a/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml +++ b/charts/kubewarden-defaults/templates/allow-privileged-escalation-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.allowPrivilegeEscalationPolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.repository }}:{{ .Values.recommendedPolicies.allowPrivilegeEscalationPolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} rules: diff --git a/charts/kubewarden-defaults/templates/capabilities-policy.yaml b/charts/kubewarden-defaults/templates/capabilities-policy.yaml index 863b402c..0012198d 100644 --- a/charts/kubewarden-defaults/templates/capabilities-policy.yaml +++ b/charts/kubewarden-defaults/templates/capabilities-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.capabilitiesPolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.capabilitiesPolicy.module.repository }}:{{ .Values.recommendedPolicies.capabilitiesPolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} rules: diff --git a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml b/charts/kubewarden-defaults/templates/host-namespace-policy.yaml index ae0825c7..abe3ab24 100644 --- a/charts/kubewarden-defaults/templates/host-namespace-policy.yaml +++ b/charts/kubewarden-defaults/templates/host-namespace-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.hostNamespacePolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostNamespacePolicy.module.repository }}:{{ .Values.recommendedPolicies.hostNamespacePolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} rules: diff --git a/charts/kubewarden-defaults/templates/host-path-policy.yaml b/charts/kubewarden-defaults/templates/host-path-policy.yaml index b3e15438..c84a680c 100644 --- a/charts/kubewarden-defaults/templates/host-path-policy.yaml +++ b/charts/kubewarden-defaults/templates/host-path-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.hostPathsPolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.hostPathsPolicy.module.repository }}:{{ .Values.recommendedPolicies.hostPathsPolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} rules: diff --git a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml b/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml index 7c448ceb..51c7122a 100644 --- a/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml +++ b/charts/kubewarden-defaults/templates/pod-privileged-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.podPrivilegedPolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.repository }}:{{ .Values.recommendedPolicies.podPrivilegedPolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} diff --git a/charts/kubewarden-defaults/templates/user-group-policy.yaml b/charts/kubewarden-defaults/templates/user-group-policy.yaml index a532925d..1020e2a9 100644 --- a/charts/kubewarden-defaults/templates/user-group-policy.yaml +++ b/charts/kubewarden-defaults/templates/user-group-policy.yaml @@ -12,6 +12,7 @@ metadata: name: {{ $.Values.recommendedPolicies.userGroupPolicy.name }} spec: mode: {{ $.Values.recommendedPolicies.defaultPolicyMode }} + failurePolicy: {{ template "policy_failure_policy" . }} module: {{ template "policy_default_registry" . }}{{ .Values.recommendedPolicies.userGroupPolicy.module.repository }}:{{ .Values.recommendedPolicies.userGroupPolicy.module.tag }} {{ include "policy-namespace-selector" . | indent 2}} rules: diff --git a/charts/kubewarden-defaults/tests/failure_policy_test.yaml b/charts/kubewarden-defaults/tests/failure_policy_test.yaml new file mode 100644 index 00000000..56e0eafd --- /dev/null +++ b/charts/kubewarden-defaults/tests/failure_policy_test.yaml @@ -0,0 +1,25 @@ +suite: set failurePolicy based upon mode +templates: + - allow-privileged-escalation-policy.yaml + - capabilities-policy.yaml + - host-namespace-policy.yaml + - host-path-policy.yaml + - pod-privileged-policy.yaml + - user-group-policy.yaml +tests: + - it: "should ignore on webhook failures if in monitor mode" + set: + recommendedPolicies.enabled: true + recommendedPolicies.defaultPolicyMode: "monitor" + asserts: + - equal: + path: spec.failurePolicy + value: Ignore + - it: "should reject on webhook failures if in protect mode" + set: + recommendedPolicies.enabled: true + recommendedPolicies.defaultPolicyMode: "protect" + asserts: + - equal: + path: spec.failurePolicy + value: Fail