Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Implement failureActionOverrides namespaceSelector #13750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat: Implement failureActionOverrides namespaceSelector #13750

wants to merge 10 commits into from

Conversation

@fhielpos
Copy link
Contributor

@fhielpos fhielpos commented Aug 4, 2025
edited
Loading

Explanation

This PR implements the usage of namespaceSelector for failureActionOverrides inside the validate section of ClusterPolicies. This feature was previously available as part of validationFailureActionOverrides but since it's deprecation it stopped to work.

Related issue

Closes #11601

Milestone of this PR

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind feature

Proof Manifests

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-latest-tag
spec:
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-image-tag
    skipBackgroundRequests: true
    validate:
      failureAction: Audit
      failureActionOverrides:
        - action: Enforce
          namespaceSelector:
            matchExpressions:
              - key: enforce
                operator: In
                values:
                  - "true"
        - action: Audit
          namespaceSelector:
            matchExpressions:
              - key: enforce
                operator: In
                values:
                  - "false"

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Aug 4, 2025
@fhielpos fhielpos changed the title feat: Implement failureActionOverrides labelSelector feat: Implement failureActionOverrides namespaceSelector Aug 4, 2025
@fhielpos fhielpos mentioned this pull request Aug 6, 2025
Open
2 tasks
@fhielpos fhielpos force-pushed the implement-overrides-labelselector branch from 785be83 to 528e1e3 Compare August 6, 2025 01:15
@fhielpos fhielpos force-pushed the implement-overrides-labelselector branch from 97769ab to 3299a06 Compare August 6, 2025 01:19
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:L This PR changes 100-499 lines, ignoring generated files. labels Aug 6, 2025
@fhielpos fhielpos force-pushed the implement-overrides-labelselector branch from 3299a06 to 5b27116 Compare August 6, 2025 01:21
@dosubot dosubot bot added size:L This PR changes 100-499 lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels Aug 6, 2025
@codecov
Copy link

codecov bot commented Aug 6, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 55.00000% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 13.85%. Comparing base (90ce462) to head (8f148b0).

Files with missing lines Patch % Lines
pkg/webhooks/resource/validation/validation.go 0.00% 7 Missing ⚠️
pkg/webhooks/resource/handlers.go 58.33% 4 Missing and 1 partial ⚠️
pkg/utils/engine/labels.go 0.00% 3 Missing and 1 partial ⚠️
pkg/policycache/cache.go 88.23% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #13750   +/-   ##
=======================================
  Coverage   13.85%   13.85%           
=======================================
  Files        1083     1083           
  Lines      104174   104198   +24     
=======================================
+ Hits        14430    14440   +10     
- Misses      88007    88019   +12     
- Partials     1737     1739    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

MariamFahmy98
MariamFahmy98 reviewed Aug 6, 2025
View reviewed changes
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! I added some comments.

@fhielpos
Copy link
Contributor Author

fhielpos commented Aug 12, 2025

Hey @MariamFahmy98, just checking if you need anything else from me here.

@fhielpos fhielpos requested a review from MariamFahmy98 August 27, 2025 12:50
@fhielpos
Copy link
Contributor Author

fhielpos commented Aug 27, 2025

Hey @MariamFahmy98 , just checking here if there is something else I could do here 😄

@fhielpos
Copy link
Contributor Author

fhielpos commented Oct 13, 2025

Hello @MariamFahmy98 , may you review this again? Thank you 😄

MariamFahmy98
MariamFahmy98 reviewed Oct 14, 2025
View reviewed changes
Copy link
Contributor

@MariamFahmy98 MariamFahmy98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the delayed review. Overall, it looks good to me. Could you please add a Chainsaw test using the same policy as in the proof-of-manifests? The idea is to test creating a bad resource in both namespaces; one should be allowed since it's in audit mode, while the other should be rejected because it's in enforce mode.

@fhielpos
Add chainsaw tests
02b53b8 
Signed-off-by: Franco <[email protected]>
@fhielpos fhielpos force-pushed the implement-overrides-labelselector branch from cec5a40 to 02b53b8 Compare October 14, 2025 17:17
@fhielpos
Copy link
Contributor Author

fhielpos commented Oct 14, 2025

I created the Chainsaw tests, will let it run and see how it goes 😄

@fhielpos
Copy link
Contributor Author

fhielpos commented Oct 27, 2025

@MariamFahmy98 , anything else to be done here? Thanks 😄

@realshuting realshuting enabled auto-merge (squash) October 28, 2025 06:52
@stone-z
Copy link

stone-z commented Nov 6, 2025

This PR is labeled for 1.16 - does the cherry-pick label mean it will also be included in any earlier releases?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MariamFahmy98 MariamFahmy98 MariamFahmy98 approved these changes

@eddycharly eddycharly Awaiting requested review from eddycharly eddycharly is a code owner

@realshuting realshuting Awaiting requested review from realshuting realshuting is a code owner

Assignees

@MariamFahmy98 MariamFahmy98

Labels

cherry-pick-required milestone 1.16.0 size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] support namespaceSelector in failureActionOverrides

4 participants

@fhielpos @stone-z @MariamFahmy98 @realshuting