From 877aa148bfe8d2063089359b8d57e086836ea6a8 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 28 Aug 2024 15:59:42 +0530 Subject: [PATCH 1/2] feat: add documentation for allowExistingViolartions in validate Signed-off-by: Vishal Choudhary --- content/en/docs/writing-policies/validate.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md index 1574b1b08..0da97f0b5 100644 --- a/content/en/docs/writing-policies/validate.md +++ b/content/en/docs/writing-policies/validate.md @@ -79,9 +79,9 @@ require-ns-purpose-label: Change the `development` value to `production` and try again. Kyverno permits creation of your new Namespace resource. -## Validation Failure Action +## Failure Action -The `validationFailureAction` attribute controls admission control behaviors for resources that are not compliant with a policy. If the value is set to `Enforce`, resource creation or updates are blocked when the resource does not comply. When the value is set to `Audit`, a policy violation is logged in a `PolicyReport` or `ClusterPolicyReport` but the resource creation or update is allowed. For preexisting resources which violate a newly-created policy set to `Enforce` mode, Kyverno will allow subsequent updates to those resources which continue to violate the policy as a way to ensure no existing resources are impacted. However, should a subsequent update to the violating resource(s) make them compliant, any further updates which would produce a violation are blocked. +The `failureAction` attribute controls admission control behaviors for resources that are not compliant with a policy. If the value is set to `Enforce`, resource creation or updates are blocked when the resource does not comply. When the value is set to `Audit`, a policy violation is logged in a `PolicyReport` or `ClusterPolicyReport` but the resource creation or update is allowed. For preexisting resources which violate a newly-created policy set to `Enforce` mode, Kyverno will allow subsequent updates to those resources which continue to violate the policy as a way to ensure no existing resources are impacted. However, should a subsequent update to the violating resource(s) make them compliant, any further updates which would produce a violation are blocked.To disable this behaviour in validation, user has to set `allowExistingViolations` to `false`. ## Validation Failure Action Overrides From fa0d09dd1e8546bcbeb9892d3f4445f426806e63 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Wed, 28 Aug 2024 16:06:50 +0530 Subject: [PATCH 2/2] fix: failing links Signed-off-by: Vishal Choudhary --- content/en/docs/applying-policies/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/applying-policies/_index.md b/content/en/docs/applying-policies/_index.md index e80ad376a..bbc4260bb 100644 --- a/content/en/docs/applying-policies/_index.md +++ b/content/en/docs/applying-policies/_index.md @@ -13,7 +13,7 @@ The [Kyverno Policies](/policies/) repository contains several policies you can On installation, Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the Kubernetes API server and applies matching policies to return results that enforce admission policies or reject requests. -Policies with validation rules can be used to block insecure or non-compliant configurations by setting the [`validationFailureAction`](../writing-policies/validate.md#validation-failure-action) to `Enforce`. Or, validation rules can be applied using periodic scans with results available as [policy reports](../policy-reports/). +Policies with validation rules can be used to block insecure or non-compliant configurations by setting the [`validationFailureAction`](../writing-policies/validate.md#failure-action) to `Enforce`. Or, validation rules can be applied using periodic scans with results available as [policy reports](../policy-reports/). Rules in a policy are applied in the order of definition. During [admission control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/), mutation rules are applied before validation rules. This allows validation of changes made during mutation. Note that **all** mutation rules are applied first across all policies before any validation rules are applied.