document warn enforcement action (#1259)

open-policy-agent · Apr 17, 2021 · ecd1148 · ecd1148
1 parent 05a8180
commit ecd1148
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/website/docs/metrics.md b/website/docs/metrics.md
@@ -13,7 +13,7 @@ Below are the list of metrics provided by Gatekeeper:
 
     Tags:
 
-    - `enforcement_action`: [`deny`, `dryrun`]
+    - `enforcement_action`: [`deny`, `dryrun`, `warn`]
 
     - `status`: [`active`, `error`]
 
@@ -81,7 +81,7 @@ Below are the list of metrics provided by Gatekeeper:
 
     Tags:
 
-    - `enforcement_action`: [`deny`, `dryrun`]
+    - `enforcement_action`: [`deny`, `dryrun`, `warn`]
 
     Aggregation: `LastValue`
 

diff --git a/website/docs/violations.md b/website/docs/violations.md
@@ -5,10 +5,10 @@ title: Handling Constraint Violations
 
 ## Log denies
 
-Set the `--log-denies` flag to log all denies and dryrun failures.
+Set the `--log-denies` flag to log all deny, dryrun and warn failures.
 This is useful when trying to see what is being denied/fails dry-run and keeping a log to debug cluster problems without having to enable syncing or looking through the status of all constraints.
 
-## Dry Run
+## Dry Run enforcement action
 
 When rolling out new constraints to running clusters, the dry run functionality can be helpful as it enables constraints to be deployed in the cluster without making actual changes. This allows constraints to be tested in a running cluster without enforcing them. Cluster resources that are impacted by the dry run constraint are surfaced as violations in the `status` field of the constraint.
 
@@ -42,4 +42,32 @@ status:
     name: gatekeeper-system
 
 ```
-> NOTE: The supported enforcementActions are [`deny`, `dryrun`] for constraints. Update the `--disable-enforcementaction-validation=true` flag if the desire is to disable enforcementAction validation against the list of supported enforcementActions.
+
+## Warn enforcement action
+
+Warn enforcement action offers the same benefits as dry run, such as testing constraints without enforcing them. In addition to this, it will also provide immediate feedback on why that constraint would have been denied. It is available in Gatekeeper v3.4+ with Kubernetes v1.19+.
+
+```yaml
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sAllowedRepos
+metadata:
+  name: repo-is-openpolicyagent
+spec:
+  enforcementAction: warn
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+  parameters:
+    repos:
+      - "openpolicyagent"
+```
+
+```shell
+$ kubectl apply pod.yaml
+Warning: [prod-repo-is-openpolicyagent] container <nginx> has an invalid image repo <nginx>, allowed repos are ["openpolicyagent"]
+pod/pause created
+```
+
+
+> NOTE: The supported enforcementActions are [`deny`, `dryrun`, `warn`] for constraints. Update the `--disable-enforcementaction-validation=true` flag if the desire is to disable enforcementAction validation against the list of supported enforcementActions.