Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TEP-0091] Add mode for VerificationPolicy #6328

Merged
merged 1 commit into from
Mar 20, 2023
Merged

[TEP-0091] Add mode for VerificationPolicy #6328

merged 1 commit into from
Mar 20, 2023

Conversation

Yongxuanzhang
Copy link
Member

@Yongxuanzhang Yongxuanzhang commented Mar 9, 2023
edited
Loading

Changes

This commit adds the mode field into VerificationPolicy. Mode can be set to enforce or warn. It controls whether a failing policy will fail the taskrun/pipelinerun or only log the warning. When set to enforce, the run will fail. When set to warn, the run won't fail and only log warning.

/kind feature

Part of #6356

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs included if any changes are user facing
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including
    functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Add mode field into VerificationPolicy to controls whether fail taskrun/pipelinerun or not when fails verification

@tekton-robot
Copy link
Collaborator

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Mar 9, 2023
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 9, 2023
@Yongxuanzhang
Copy link
Member Author

/test all

@Yongxuanzhang Yongxuanzhang marked this pull request as ready for review March 10, 2023 20:14
@tekton-robot tekton-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 10, 2023
@Yongxuanzhang
Copy link
Member Author

/assign @wlynch

dibyom
dibyom reviewed Mar 14, 2023
View reviewed changes
pkg/apis/pipeline/v1alpha1/verificationpolicy_types.go
@@ -62,6 +62,10 @@ type VerificationPolicySpec struct {
Resources []ResourcePattern `json:"resources"`
// Authorities defines the rules for validating signatures.
Authorities []Authority `json:"authorities"`
// Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are there docs we need to update with the new Mode field?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not yet, I plan to use this new field in next pr(and add docs there) to keep the PR small. I think we should merge these 2 PRs in one release. So better add this PR to v0.47

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracking issue here: #6356

@Yongxuanzhang
Copy link
Member Author

This PR is targeting v0.47.
Since v0.46 is not out, should we block this PR?

@Yongxuanzhang Yongxuanzhang mentioned this pull request Mar 14, 2023
Closed
6 tasks
@Yongxuanzhang Yongxuanzhang requested review from wlynch and removed request for pritidesai, bobcatfish and jerop March 14, 2023 20:46
@Yongxuanzhang
Copy link
Member Author

/hold
so this PR will not be merged in release v0.46

@tekton-robot tekton-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 14, 2023
@Yongxuanzhang
Copy link
Member Author

/assign @jerop

@Yongxuanzhang
[TEP-0091] Add mode for VerificationPolicy
42d400e 
This commit adds the mode field into VerificationPolicy. Mode can be set
to `enforce` or `warn`. It controls whether a failing policy will fail
the taskrun/pipelinerun or only log the warning. When set to `enforce`,
the run will fail. When set to `warn`, the run won't fail and only log
warning.

Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
wlynch
wlynch approved these changes Mar 16, 2023
View reviewed changes
Copy link
Member

@wlynch wlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Mar 16, 2023
@tekton-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 16, 2023
@Yongxuanzhang
Copy link
Member Author

Thanks! Let's hold until 0.46 release is out 😄

@Yongxuanzhang
Copy link
Member Author

/hold cancel

@tekton-robot tekton-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 20, 2023
@tekton-robot tekton-robot merged commit 6c2d01c into tektoncd:main Mar 20, 2023
@QuanZhang-William
Copy link
Member

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dibyom dibyom dibyom left review comments

@wlynch wlynch wlynch approved these changes

Assignees

@wlynch wlynch

@jerop jerop

@QuanZhang-William QuanZhang-William

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/feature Categorizes issue or PR as related to a new feature. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Yongxuanzhang @tekton-robot @QuanZhang-William @wlynch @dibyom @jerop