diff --git a/website/docs/metrics.md b/website/docs/metrics.md index 14a5d416bdf..e336e932acb 100644 --- a/website/docs/metrics.md +++ b/website/docs/metrics.md @@ -13,7 +13,7 @@ Below are the list of metrics provided by Gatekeeper: Tags: - - `enforcement_action`: [`deny`, `dryrun`] + - `enforcement_action`: [`deny`, `dryrun`, `warn`] - `status`: [`active`, `error`] @@ -81,7 +81,7 @@ Below are the list of metrics provided by Gatekeeper: Tags: - - `enforcement_action`: [`deny`, `dryrun`] + - `enforcement_action`: [`deny`, `dryrun`, `warn`] Aggregation: `LastValue` diff --git a/website/docs/violations.md b/website/docs/violations.md index 5d8f15136c4..7d1b0215526 100644 --- a/website/docs/violations.md +++ b/website/docs/violations.md @@ -5,10 +5,10 @@ title: Handling Constraint Violations ## Log denies -Set the `--log-denies` flag to log all denies and dryrun failures. +Set the `--log-denies` flag to log all deny, dryrun and warn failures. This is useful when trying to see what is being denied/fails dry-run and keeping a log to debug cluster problems without having to enable syncing or looking through the status of all constraints. -## Dry Run +## Dry Run enforcement action When rolling out new constraints to running clusters, the dry run functionality can be helpful as it enables constraints to be deployed in the cluster without making actual changes. This allows constraints to be tested in a running cluster without enforcing them. Cluster resources that are impacted by the dry run constraint are surfaced as violations in the `status` field of the constraint. @@ -42,4 +42,32 @@ status: name: gatekeeper-system ``` -> NOTE: The supported enforcementActions are [`deny`, `dryrun`] for constraints. Update the `--disable-enforcementaction-validation=true` flag if the desire is to disable enforcementAction validation against the list of supported enforcementActions. + +## Warn enforcement action + +Warn enforcement action offers the same benefits as dry run, such as testing constraints without enforcing them. In addition to this, it will also provide immediate feedback on why that constraint would have been denied. It is available in Gatekeeper v3.4+ with Kubernetes v1.19+. + +```yaml +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-openpolicyagent +spec: + enforcementAction: warn + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + repos: + - "openpolicyagent" +``` + +```shell +$ kubectl apply pod.yaml +Warning: [prod-repo-is-openpolicyagent] container has an invalid image repo , allowed repos are ["openpolicyagent"] +pod/pause created +``` + + +> NOTE: The supported enforcementActions are [`deny`, `dryrun`, `warn`] for constraints. Update the `--disable-enforcementaction-validation=true` flag if the desire is to disable enforcementAction validation against the list of supported enforcementActions.