Background
Currently Policy Reporter in default configuration "deduplicates" reports for controllers:
sourceFilters:
- selector:
source: kyverno
uncontrolledOnly: true
disableClusterReports: false
kinds:
exclude: [ReplicaSet]
This filters out:
- controlled Pods
- controlled Jobs
- ALL ReplicaSets
This is a follow-up to issue #1142
Expected behavior
When uncontrolledOnly: true is set (and kinds.exclude is unset):
- ReplicaSets are only filtered out if they're owned by
Deployment
Impact
Current defaults allow trivial "bypasses" of policy-reporter: for example, if an invalid resource is created using an unmanaged ReplicaSet directly, without a Deployment
Fix caveats
If this issue is fixed it might change behavior for non-standard controllers (i.e. Argo Rollouts) by sending reports for all ReplicaSets of a such controller.
Maybe configuration should be made more explicit and allow listing additional owner-resource references, so it will be possible to list more kinds with their respective owner kinds.
Background
Currently Policy Reporter in default configuration "deduplicates" reports for controllers:
This filters out:
This is a follow-up to issue #1142
Expected behavior
When
uncontrolledOnly: trueis set (and kinds.exclude is unset):DeploymentImpact
Current defaults allow trivial "bypasses" of policy-reporter: for example, if an invalid resource is created using an unmanaged ReplicaSet directly, without a Deployment
Fix caveats
If this issue is fixed it might change behavior for non-standard controllers (i.e. Argo Rollouts) by sending reports for all ReplicaSets of a such controller.
Maybe configuration should be made more explicit and allow listing additional owner-resource references, so it will be possible to list more kinds with their respective owner kinds.