Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a gator test CLI option for exit code 1 in case of enforcementAction: warn #2945

Open
rquinio1A opened this issue Aug 10, 2023 · 12 comments
Open

Add a gator test CLI option for exit code 1 in case of enforcementAction: warn #2945

rquinio1A opened this issue Aug 10, 2023 · 12 comments
Labels
enhancement New feature or request triaged

Comments

@rquinio1A
Copy link

Describe the solution you'd like

When there's a constraint violation with enforcementAction: deny, gator test exit code is 1.
It would be useful to have a CLI option to also fail when there's a constraint violation with enforcementAction: warn (for instance --fail-on-warn).

Anything else you would like to add:

We typically use enforcementAction: warn for new constraints, to let users time to adapt, before changing them to enforcementAction: deny.
So users need an easy way to fail their gitops CI, which is typically based on exit codes.

Environment:

  • Gatekeeper version: gator v3.13.0
  • Kubernetes version: (use kubectl version): n/a
@rquinio1A rquinio1A added the enhancement New feature or request label Aug 10, 2023
@davis-haba
Copy link
Contributor

Hi,

We are actively working on designing a feature to allow for different enforcementActions across different enforcement points (e.g. gator/Audit/Webhook). I've linked this issue in the design, and we'll take this use case into account.

Thanks for the feedback!

@sozercan
Copy link
Member

cc @salaxander

@stale
Copy link

stale bot commented Oct 15, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Oct 15, 2023
@rquinio1A
Copy link
Author

Should still be valid

@stale stale bot removed the stale label Oct 16, 2023
@stale Stale
Copy link

stale bot commented Dec 15, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 15, 2023
@rquinio1A
Copy link
Author

Still valid, but could be closed as duplicate once there's a master issue about enforcementActions re-design.

@maxsmythe maxsmythe removed the stale label Dec 22, 2023
@stale Stale
Copy link

stale bot commented Feb 20, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Feb 20, 2024
@maxsmythe
Copy link
Contributor

@JaydipGabani I think this is interesting WRT multi enforcement action

@sozercan sozercan added triaged and removed stale labels Feb 21, 2024
@JaydipGabani
Copy link
Contributor

@maxsmythe are you thinking we could provide a way on constraint to include what to do for gator? something like this?

action: warn
enforcementPoints:
- name: gator
   behavior: fail

@maxsmythe
Copy link
Contributor

Yep! Though it'd probably be just another enforcementAction

@JaydipGabani
Copy link
Contributor

@rquinio1A We are currenlty implementing this design, after which it should be possible to define different behaviors for audit, gator cli and webhook on constraints. It would be possible to define the specific behavior - "I want to get denied for gator cli but just warnings in webhook if the resource is violating the constraint". Would this cover the ask here?

@rquinio1A
Copy link
Author

@JaydipGabani That would be perfect!

@JaydipGabani JaydipGabani mentioned this issue Mar 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sozercan @maxsmythe @JaydipGabani @davis-haba @rquinio1A