Skip to content

feat: add kyverno ecr pull requirement policy#605

Merged
rifisdfds merged 18 commits into
mainfrom
feat/kyverno-policy-requirement-ecr
Jul 2, 2026
Merged

feat: add kyverno ecr pull requirement policy#605
rifisdfds merged 18 commits into
mainfrom
feat/kyverno-policy-requirement-ecr

Conversation

@rifisdfds

@rifisdfds rifisdfds commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

This PR adds a kyverno policy for our ECR Pull Policy requirement

It will emit a warning if the service that ecr-pull-compliance-exporter service is not available (as will be the case in environments other than prod), but ultimately not fail even when our policies are changed from warn to enforce

Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated

@wcarlsen wcarlsen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like it. My main concern here is that it doesn't act on resources that are abstractions of Pods (Deployments, StatefullSets, ...), enforcement is "soft" and that this a production exclusive feature, making it hard to catch our own mistakes before being potentially blocked in production. But you are already aware of the latter, so no changes required on that one.

Comment thread apps/kyverno/policies/hard-requirement/ecr-pull-policy.yaml Outdated
@rifisdfds rifisdfds marked this pull request as ready for review July 1, 2026 09:25
@rifisdfds rifisdfds requested a review from a team as a code owner July 1, 2026 09:25
@rifisdfds rifisdfds requested review from SEQUOIIA and wcarlsen July 1, 2026 09:25
@rifisdfds

Copy link
Copy Markdown
Contributor Author

I have migrated this over to a ValidatingPolicy. I cannot get Autogen to work with ValdatingPolicy with our current version of Kyverno so I have been explicit about the resources.

I also cannot recreate the functionality where it would warn if the check service is unavailable which I do not like, now it just fails silently. But we did agree to not block if the service is unavailable.

The only workaround for this I can think of is to add an extra policy specifically checking for the availability of that service and warn if it cannot check. Thoughts now @wcarlsen @SEQUOIIA?

resources:
- deployments
- statefulsets
- daemonsets

@wcarlsen wcarlsen Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Teams cannot deploy DaemonSets so do we really need this? If not I don't think we need it here.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I agree here, I've taken it out

).allowed == true
)
message: >-
One or more container images reference an ECR repository that does

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can messages use the info from above expression? So that the user knows which image is violating.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion, seems simpler here than the previous type. I have added it

@wcarlsen wcarlsen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really on the inclusion of DaemonSet needs attention. The stuff on messages is just icing on the cake and not a must.

I strongly prefer this simplified implementation, where there the status evaluation is more binary than the previous implementation.

If any exporters fetches data from Kyverno we need to validate that this works with this new resource.

Also I'm no fan of the non-blocking thingy, which I think defeats the purpose of admission. Failing silently have never been great. But that is a different discussion.

@rifisdfds rifisdfds requested a review from wcarlsen July 1, 2026 13:51

@wcarlsen wcarlsen left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking really nice. Great work

@rifisdfds rifisdfds merged commit 6d02b30 into main Jul 2, 2026
2 checks passed
@rifisdfds rifisdfds deleted the feat/kyverno-policy-requirement-ecr branch July 2, 2026 10:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants