search

fluxcd / flux2-multi-tenancy

Manage multi-tenant clusters with Flux
Apache License 2.0
493 stars 247 forks source link

Set Kyverno policy failure to audit #108

Closed stefanprodan closed 1 year ago

stefanprodan commented 1 year ago

Prevent Kyverno from blocking Flux reconciliation due to missing digest bug.

Ref: #107

makkes commented 1 year ago

e2e failing with

E0609 13:28:51.109331       1 handlers.go:38] webhooks/policy/validate "msg"="policy validation errors" "error"="spec.rules[0].verifyImages[0].mutateDigest: Invalid value: true: mutateDigest must be set to false for ‘Audit’ failure action" "gvk"={"group":"kyverno.io","version":"v1","kind":"ClusterPolicy"} "gvr"={"group":"kyverno.io","version":"v1","resource":"clusterpolicies"} "name"="verify-flux-images" "namespace"="" "operation"="CREATE" "uid"="042f8eb6-d027-4996-bb18-c18fd1d2db46" "user"={"username":"system:serviceaccount:flux-system:kustomize-controller","groups":["system:serviceaccounts","system:serviceaccounts:flux-system","system:authenticated"]}
Pro commented 1 year ago

@stefanprodan tested these patches locally, and it works (on top of your change):

diff --git a/infrastructure/kyverno-policies/verify-flux-images.yaml b/infrastructure/kyverno-policies/verify-flux-images.yaml
index 8f8814c..6194635 100644
--- a/infrastructure/kyverno-policies/verify-flux-images.yaml
+++ b/infrastructure/kyverno-policies/verify-flux-images.yaml
@@ -28,6 +28,7 @@ spec:
             - "docker.io/fluxcd/notification-controller:*"
             - "docker.io/fluxcd/image-reflector-controller:*"
             - "docker.io/fluxcd/image-automation-controller:*"
+          mutateDigest: false
           attestors:
             - entries:
                 - keyless:
diff --git a/infrastructure/kyverno-policies/verify-git-repositories.yaml b/infrastructure/kyverno-policies/verify-git-repositories.yaml
index ee2ac1c..d42ccf7 100644
--- a/infrastructure/kyverno-policies/verify-git-repositories.yaml
+++ b/infrastructure/kyverno-policies/verify-git-repositories.yaml
@@ -6,7 +6,7 @@ spec:
   # This provides users a working example of how an admin
   # would be able to enforce git repository sources across
   # all tenants.
-  validationFailureAction: audit # Change to 'enforce' once the specific org url is set.
+  validationFailureAction: Audit # Change to 'enforce' once the specific org url is set.
   rules:
     - name: github-repositories-only
       exclude:

The second camel case change is due to deprecation warning

stefanprodan commented 1 year ago

Can you open a PR with all these changes please, I will close this one