added support of background-only mode for policies

[sandeshlmore]

Signed-off-by: Sandesh More sandesh.more@infracloud.io

Explanation

previouly, a validate or verifyImages rule is required to always be processed in admission review mode. users cannot prevent resources at admission time from showing in policy reports.

This PR adds background-only mode in which policies(validate and VerifyImages) are executed only in background and not at the time of admission.

Related issue

closes: 5074

Milestone of this PR

What type of PR is this

feature

Proposed Changes

• background-only mode is set by background : true and validationFailureAction : ""
• background-only mode policies(validate and VerifyImages) are skipped at the time of resource AdmissionReviewRequest.
• additionally, validate policy for background: false then validationFailureAction must exist with some (audit/enforce).

Proof Manifests

policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels     
spec:
  validationFailureAction: ""
  background: true
  rules:
  - name: check-for-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "The label `app.kubernetes.io/name` is required."
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"

Apply above policy(background only mode)

create resource:

$ kubectl run nginx --image nginx
pod/nginx created

check reports are not generated at the time of admission for the above policy. policy will be executed only during background-scan.

Checklist

• I have read the contributing guidelines.
• I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
• This is a bug fix and I have added unit tests that prove my fix is effective.
• This is a feature and I have added CLI tests that are applicable.
• My PR needs to be cherry picked to a specific release branch which is .
• My PR contains new or altered behavior to Kyverno and
  • CLI support should be added and my PR doesn't contain that functionality.
  • I have added or changed the documentation myself in an existing PR and the link is:
  • I have raised an issue in kyverno/website to track the documentation update and the link is:

Further Comments

[shahpratikr]

you need to rebase your branch with develop

[shahpratikr]

can't we add another value say background or background-only instead of an empty string?

[sandeshlmore]

@ApsTomar @samkulkarni20 can you suggest what would be better value for ValidationFailureAction to introduce background only mode?

[sandeshlmore]

i confirm this with chipzoller. please check upstream issue thread.