Closed stefanprodan closed 1 year ago
e2e failing with
E0609 13:28:51.109331 1 handlers.go:38] webhooks/policy/validate "msg"="policy validation errors" "error"="spec.rules[0].verifyImages[0].mutateDigest: Invalid value: true: mutateDigest must be set to false for ‘Audit’ failure action" "gvk"={"group":"kyverno.io","version":"v1","kind":"ClusterPolicy"} "gvr"={"group":"kyverno.io","version":"v1","resource":"clusterpolicies"} "name"="verify-flux-images" "namespace"="" "operation"="CREATE" "uid"="042f8eb6-d027-4996-bb18-c18fd1d2db46" "user"={"username":"system:serviceaccount:flux-system:kustomize-controller","groups":["system:serviceaccounts","system:serviceaccounts:flux-system","system:authenticated"]}
@stefanprodan tested these patches locally, and it works (on top of your change):
diff --git a/infrastructure/kyverno-policies/verify-flux-images.yaml b/infrastructure/kyverno-policies/verify-flux-images.yaml
index 8f8814c..6194635 100644
--- a/infrastructure/kyverno-policies/verify-flux-images.yaml
+++ b/infrastructure/kyverno-policies/verify-flux-images.yaml
@@ -28,6 +28,7 @@ spec:
- "docker.io/fluxcd/notification-controller:*"
- "docker.io/fluxcd/image-reflector-controller:*"
- "docker.io/fluxcd/image-automation-controller:*"
+ mutateDigest: false
attestors:
- entries:
- keyless:
diff --git a/infrastructure/kyverno-policies/verify-git-repositories.yaml b/infrastructure/kyverno-policies/verify-git-repositories.yaml
index ee2ac1c..d42ccf7 100644
--- a/infrastructure/kyverno-policies/verify-git-repositories.yaml
+++ b/infrastructure/kyverno-policies/verify-git-repositories.yaml
@@ -6,7 +6,7 @@ spec:
# This provides users a working example of how an admin
# would be able to enforce git repository sources across
# all tenants.
- validationFailureAction: audit # Change to 'enforce' once the specific org url is set.
+ validationFailureAction: Audit # Change to 'enforce' once the specific org url is set.
rules:
- name: github-repositories-only
exclude:
The second camel case change is due to deprecation warning
Can you open a PR with all these changes please, I will close this one
Prevent Kyverno from blocking Flux reconciliation due to missing digest bug.
Ref: #107