ROX-30034,ROX-29995,ROX-29996: New admission controller options: fail… by clickboo · Pull Request #16149 · stackrox/stackrox

clickboo · Jul 24, 2025

…ure policy and enforcement opt out.

Description

Two new command line flags to roxctl sensor generate to configure failure policy and opt out of enforcement.
Defaults to fail open and enforcement turned on. Ensures defaults are adhered to.
Corresponding helm changes - when a cluster is created in the datastore from the helm config - addition of support for new field.
Addition of necessary proto variables to the Static configuration of the cluster.
Necessary values.yaml.htpl changes to plumb through the roxctl option value into the rendered install bundle.

@pedrottimark Keeping you in the loop for proto changes.
@mclasmeier Would like you to review the Helm changes for sure, if not all the changes.
@kcarmichael08 Keeping you in the loop for context on subsequent doc changes that will be needed.

Note: I am aware of the need for backport for this PR. I am ironing out some details based on this related PR to figure which backport labels to add (also will need to remove feature flag, and I await the reviewers thoughts on this)

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

roxctl bundle generation with option combinations (enforce options old and new, and the new failure policy option) to ensure correct bundle generation. Results as expected.

rhacs-bot · Jul 24, 2025

Images are ready for the commit at 81c97ed.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.9.x-371-g81c97ed0b7.

codecov · Jul 24, 2025

Codecov Report

❌ Patch coverage is 15.62500% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.84%. Comparing base (ab2837a) to head (81c97ed).
⚠️ Report is 4 commits behind head on master.

Files with missing lines	Patch %	Lines
roxctl/sensor/generate/generate.go	5.26%	17 Missing and 1 partial ⚠️
central/graphql/resolvers/generated.go	25.00%	6 Missing ⚠️
central/cluster/datastore/datastore_impl.go	25.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #16149      +/-   ##
==========================================
- Coverage   48.85%   48.84%   -0.01%     
==========================================
  Files        2611     2611              
  Lines      192812   192841      +29     
==========================================
+ Hits        94189    94200      +11     
- Misses      91206    91224      +18     
  Partials     7417     7417

Flag	Coverage Δ
go-unit-tests	`48.84% <15.62%> (-0.01%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

central/cluster/datastore/datastore_impl.go

roxctl/sensor/generate/generate.go

mclasmeier · Jul 28, 2025

@clickboo,

regarding

@mclasmeier Would like you to review the Helm changes for sure, if not all the changes.

I don't see Helm changes in this PR?

clickboo · Jul 28, 2025

@clickboo,

regarding

@mclasmeier Would like you to review the Helm changes for sure, if not all the changes.

I don't see Helm changes in this PR?

I've tagged you on the relevant section in the PR - look out for my comments.

janisz

roxctl part looks good

proto/storage/cluster.proto

central/cluster/datastore/datastore_impl.go

roxctl/sensor/generate/generate.go

image/templates/helm/stackrox-secured-cluster/values.yaml.htpl

central/cluster/datastore/datastore_impl.go

image/templates/helm/stackrox-secured-cluster/values.yaml.htpl

roxctl/sensor/generate/generate.go

The file and these defaults have always existed and so has the code logic. If they were always wrong, I do not know - it is for teams working on Helm(install team) and senseco to figure it out since it falls under your area of expertise and responsibility. I changed the defaults on this file to match the defaults in roxctl (which I also changed) - I believe that to be correct. Hence I am dismissing the review.

If you still think the values file is an issue, I recommend you file an appropriate task under the epics you are working on to make modifications based on your subject matter expertise. I do not believe it makes sense to block this PR on that future work.

central/clusters/zip/render_test.go

image/templates/helm/stackrox-secured-cluster/values.yaml.htpl

roxctl/sensor/generate/generate.go

mclasmeier

As discussed, would be nice IMHO to make the deprecation warnings more concise.

…ure policy and enforcement opt out.

#16149)

clickboo requested review from a team as code owners July 24, 2025 08:57

github-actions bot added area/roxctl area/central labels Jul 24, 2025

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch from 0137455 to b0d55fc Compare July 24, 2025 10:12

clickboo added the ci-all-qa-tests Tells CI to run all API tests (not just BAT). label Jul 24, 2025

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch 3 times, most recently from e5679db to 5ad4fe3 Compare July 25, 2025 09:46

clickboo requested review from janisz, kcarmichael08, mclasmeier and pedrottimark July 25, 2025 16:29

clickboo commented Jul 28, 2025

View reviewed changes

central/cluster/datastore/datastore_impl.go Show resolved Hide resolved

mclasmeier reviewed Jul 28, 2025

View reviewed changes

roxctl/sensor/generate/generate.go Outdated Show resolved Hide resolved

github-actions bot added the area/helm label Jul 28, 2025

clickboo requested a review from mclasmeier July 28, 2025 10:13

janisz reviewed Jul 28, 2025

View reviewed changes

mclasmeier reviewed Jul 28, 2025

View reviewed changes

proto/storage/cluster.proto Outdated Show resolved Hide resolved

parametalol reviewed Jul 28, 2025

View reviewed changes

central/cluster/datastore/datastore_impl.go Outdated Show resolved Hide resolved

roxctl/sensor/generate/generate.go Outdated Show resolved Hide resolved

clickboo requested review from janisz, mclasmeier and parametalol July 29, 2025 04:14

janisz reviewed Jul 29, 2025

View reviewed changes

image/templates/helm/stackrox-secured-cluster/values.yaml.htpl Outdated Show resolved Hide resolved

mclasmeier reviewed Jul 29, 2025

View reviewed changes

central/cluster/datastore/datastore_impl.go Show resolved Hide resolved

central/cluster/datastore/datastore_impl.go Show resolved Hide resolved

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch from 8657f42 to fa93bb9 Compare July 29, 2025 13:31

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch from 7d5cbc2 to 278d4b7 Compare July 29, 2025 15:20

clickboo requested a review from janisz July 29, 2025 18:23

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch from 838e6de to 781889b Compare July 30, 2025 05:28

mclasmeier previously requested changes Jul 30, 2025

View reviewed changes

image/templates/helm/stackrox-secured-cluster/values.yaml.htpl Show resolved Hide resolved

roxctl/sensor/generate/generate.go Outdated Show resolved Hide resolved

clickboo requested a review from mclasmeier July 30, 2025 14:05

mclasmeier requested changes Jul 31, 2025

View reviewed changes

clickboo requested review from mclasmeier and porridge July 31, 2025 13:30

mclasmeier approved these changes Aug 1, 2025

View reviewed changes

ROX-30034,ROX-29995,ROX-29996: New admission controller options: fail…

81c97ed

…ure policy and enforcement opt out.

clickboo force-pushed the boo-roxctl-adm-ctrl-new-options branch from 460d59c to 81c97ed Compare August 1, 2025 09:11

janisz approved these changes Aug 1, 2025

View reviewed changes

clickboo merged commit ccc50db into master Aug 1, 2025
95 of 97 checks passed

clickboo deleted the boo-roxctl-adm-ctrl-new-options branch August 1, 2025 13:59

Stringy pushed a commit that referenced this pull request Aug 15, 2025

ROX-30034,ROX-29995,ROX-29996: New admission controller options: fail… (

e233c8e

#16149)

Search code, repositories, users, issues, pull requests...

Comments

Conversation

clickboo commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

rhacs-bot commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

mclasmeier commented Jul 28, 2025

Uh oh!

clickboo commented Jul 28, 2025

Uh oh!

janisz left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mclasmeier left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

clickboo commented Jul 24, 2025 •

edited

Loading

rhacs-bot commented Jul 24, 2025 •

edited

Loading

codecov bot commented Jul 24, 2025 •

edited

Loading