diff --git a/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml b/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml index 6aab476cdb926..4bbe9a6fb6540 100644 --- a/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml +++ b/image/templates/helm/stackrox-secured-cluster/internal/config-shape.yaml @@ -113,6 +113,7 @@ admissionControl: hostAliases: null # [dict] priorityClassName: null # string namespaceSelector: null # dict + failurePolicy: null # string collector: forceCollectionMethod: null # bool collectionMethod: null # string diff --git a/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl b/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl index 0b6a876c3ebb7..3abd5b6d169ad 100644 --- a/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl +++ b/image/templates/helm/stackrox-secured-cluster/internal/defaults/30-base-config.yaml.htpl @@ -76,6 +76,7 @@ admissionControl: timeout: 10 enforceOnUpdates: false replicas: 3 + failurePolicy: Ignore affinity: nodeAffinity: diff --git a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml index 16193f6e13edc..cbf3b7cbfc118 100644 --- a/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml +++ b/image/templates/helm/stackrox-secured-cluster/templates/admission-controller.yaml @@ -235,7 +235,7 @@ webhooks: - kube-public - istio-system {{- end }} - failurePolicy: Ignore + failurePolicy: {{ ._rox.admissionControl.failurePolicy }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: @@ -261,7 +261,7 @@ webhooks: - pods - pods/exec - pods/portforward - failurePolicy: Ignore + failurePolicy: {{ ._rox.admissionControl.failurePolicy }} clientConfig: caBundle: {{ required "The 'ca.cert' config option MUST be set to StackRox's Service CA certificate in order for the admission controller to be usable" ._rox.ca._cert | b64enc }} service: diff --git a/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example b/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example index b7336cf713ac4..4bd2a16398065 100644 --- a/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example +++ b/image/templates/helm/stackrox-secured-cluster/values-public.yaml.example @@ -307,6 +307,10 @@ # cert: null # key: null # +# # Failure Policy from the admission configuration +# # Available values: Ignore|Fail +# failurePolicy: Ignore +# ## Collector specific configuration. #collector: # diff --git a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml index 8924b27fa47e3..5090503d3c8ed 100644 --- a/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml +++ b/pkg/helm/charts/tests/securedclusterservices/testdata/helmtest/admission-control.test.yaml @@ -161,3 +161,21 @@ tests: - istio-system expect: | .validatingwebhookconfigurations[].webhooks[].namespaceSelector.matchExpressions | assertThat(length == 2) + +- name: "Admission Controller Failure Policy" + tests: + - name: "default failure policy ignore" + values: + admissionControl: + listenOnCreates: true + listenOnEvents: false + expect: | + .validatingwebhookconfigurations[].webhooks[].failurePolicy | assertThat(. == "Ignore") + - name: "override failurePolicy to fail" + values: + admissionControl: + listenOnCreates: true + listenOnEvents: false + failurePolicy: "Fail" + expect: | + .validatingwebhookconfigurations[].webhooks[].failurePolicy | assertThat(. == "Fail")