Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

ROX-30034,ROX-29995,ROX-29996: New admission controller options: fail… #16149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
clickboo merged 1 commit into from
Aug 1, 2025
Merged

ROX-30034,ROX-29995,ROX-29996: New admission controller options: fail… #16149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions 5 CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ Changes should still be described appropriately in JIRA/doc input pages, for inc
- ROX-30100: Incorrect defaults for admission controller related configuration options in "roxctl sensor generate" have been fixed. The admission controller will be deployed and configured
for policy evaluation and enforcement as well as image scanning, out of the box - without requiring a user to specify command line
options to "roxctl sensor generate".
- ROX-30034,ROX-29995,ROX-29996: Support for two new admission controller configuration related options in roxctl sensor generate
- `--admission-controller-enforcement` defaults to true. If set to false, admission controller webhook will be
configured to not enforce policies on any admission review request.
- `--admission-controller-fail-on-error` defaults to false, which means admission controller webhook will fail open.
If set to true, the admission controller webhook will fail closed i.e. the review request will be blocked in case of timeouts or errors.

### Removed Features

Expand Down
4 changes: 4 additions & 0 deletions 4 central/cluster/datastore/datastore_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1052,6 +1052,10 @@ func configureFromHelmConfig(cluster *storage.Cluster, helmConfig *storage.Compl
cluster.AdmissionControllerEvents = staticConfig.GetAdmissionControllerEvents()
cluster.TolerationsConfig = staticConfig.GetTolerationsConfig().CloneVT()
cluster.SlimCollector = staticConfig.GetSlimCollector()
cluster.AdmissionControllerFailOnError = false
if features.AdmissionControllerConfig.Enabled() {
clickboo marked this conversation as resolved.
Show resolved Hide resolved
cluster.AdmissionControllerFailOnError = staticConfig.GetAdmissionControllerFailureOnError()
}
}

func (ds *datastoreImpl) collectClusters(ctx context.Context) ([]*storage.Cluster, error) {
Expand Down
1 change: 1 addition & 0 deletions 1 central/clusters/deployer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ func getBaseMetaValues(c *storage.Cluster, versions version.Versions, scannerSli
ScanInline: c.GetDynamicConfig().GetAdmissionControllerConfig().GetScanInline(),
AdmissionControllerEnabled: c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnabled(),
AdmissionControlEnforceOnUpdates: c.GetDynamicConfig().GetAdmissionControllerConfig().GetEnforceOnUpdates(),
AdmissionControllerFailOnError: c.AdmissionControllerFailOnError,
ReleaseBuild: buildinfo.ReleaseBuild,

EnablePodSecurityPolicies: false,
Expand Down
12 changes: 12 additions & 0 deletions 12 central/graphql/resolvers/generated.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 13 additions & 2 deletions 15 generated/api/v1/cluster_service.swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

65 changes: 42 additions & 23 deletions 65 generated/storage/cluster.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.