Skip to content

Commit ac5ea7b

Browse files
Merge pull request #733 from fabriziosestito/fix/flag-continue-on-errors
fix: add hidden flag/env to toggle continuing on initialization errors
2 parents 8e07b82 + b4a83bc commit ac5ea7b

File tree

5 files changed

+40
-8
lines changed

5 files changed

+40
-8
lines changed

src/cli.rs

+5
Original file line numberDiff line numberDiff line change
@@ -165,6 +165,11 @@ pub(crate) fn build_cli() -> Command {
165165
.env("KUBEWARDEN_ENABLE_PPROF")
166166
.action(ArgAction::SetTrue)
167167
.help("Enable pprof profiling"),
168+
Arg::new("continue-on-errors")
169+
.long("continue-on-errors")
170+
.env("KUBEWARDEN_CONTINUE_ON_ERRORS")
171+
.action(ArgAction::SetTrue)
172+
.hide(true)
168173
];
169174
args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
170175

src/config.rs

+7
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ pub struct Config {
4545
pub daemon_pid_file: String,
4646
pub daemon_stdout_file: Option<String>,
4747
pub daemon_stderr_file: Option<String>,
48+
pub continue_on_errors: bool,
4849
}
4950

5051
pub struct TlsConfig {
@@ -137,6 +138,11 @@ impl Config {
137138
.expect("clap should have assigned a default value")
138139
.to_owned();
139140

141+
let continue_on_errors = matches
142+
.get_one::<bool>("continue-on-errors")
143+
.expect("clap should have assigned a default value")
144+
.to_owned();
145+
140146
Ok(Self {
141147
addr,
142148
sources,
@@ -158,6 +164,7 @@ impl Config {
158164
daemon_stdout_file,
159165
daemon_stderr_file,
160166
enable_pprof,
167+
continue_on_errors,
161168
})
162169
}
163170
}

src/evaluation/evaluation_environment.rs

+18-8
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@ impl EvaluationEnvironment {
7979
always_accept_admission_reviews_on_namespace: Option<String>,
8080
policy_evaluation_limit_seconds: Option<u64>,
8181
callback_handler_tx: mpsc::Sender<CallbackRequest>,
82+
continue_on_errors: bool,
8283
) -> Result<Self> {
8384
let mut eval_env = Self {
8485
always_accept_admission_reviews_on_namespace,
@@ -114,7 +115,7 @@ impl EvaluationEnvironment {
114115
)
115116
.map_err(|e| EvaluationError::BootstrapFailure(e.to_string()))?;
116117

117-
eval_env.validate_settings(policy_id)?;
118+
eval_env.validate_settings(policy_id, continue_on_errors)?;
118119
}
119120

120121
Ok(eval_env)
@@ -236,7 +237,11 @@ impl EvaluationEnvironment {
236237
}
237238

238239
/// Validate the settings the user provided for the given policy
239-
fn validate_settings(&mut self, policy_id: &str) -> Result<()> {
240+
fn validate_settings(
241+
&mut self,
242+
policy_id: &str,
243+
continue_on_policy_initialization_errors: bool,
244+
) -> Result<()> {
240245
let settings = self.get_policy_settings(policy_id)?;
241246
let mut evaluator = self.rehydrate(policy_id)?;
242247

@@ -249,13 +254,17 @@ impl EvaluationEnvironment {
249254
valid: false,
250255
message,
251256
} => {
252-
self.policy_initialization_errors.insert(
253-
policy_id.to_string(),
254-
format!(
255-
"Policy settings are invalid: {}",
256-
message.unwrap_or("no message".to_owned())
257-
),
257+
let error_message = format!(
258+
"Policy settings are invalid: {}",
259+
message.unwrap_or("no message".to_owned())
258260
);
261+
262+
if !continue_on_policy_initialization_errors {
263+
return Err(EvaluationError::PolicyInitialization(error_message));
264+
}
265+
266+
self.policy_initialization_errors
267+
.insert(policy_id.to_string(), error_message.clone());
259268
}
260269
};
261270

@@ -371,6 +380,7 @@ mod tests {
371380
None,
372381
None,
373382
callback_handler_tx,
383+
true,
374384
)
375385
}
376386

src/lib.rs

+9
Original file line numberDiff line numberDiff line change
@@ -141,13 +141,22 @@ impl PolicyServer {
141141
let engine = wasmtime::Engine::new(&wasmtime_config)?;
142142
let precompiled_policies = precompile_policies(&engine, &fetched_policies);
143143

144+
if !config.continue_on_errors {
145+
for result in precompiled_policies.values() {
146+
if let Err(error) = result {
147+
return Err(anyhow!(error.to_string()));
148+
}
149+
}
150+
}
151+
144152
let evaluation_environment = EvaluationEnvironment::new(
145153
&engine,
146154
&config.policies,
147155
&precompiled_policies,
148156
config.always_accept_admission_reviews_on_namespace,
149157
config.policy_evaluation_limit_seconds,
150158
callback_sender_channel.clone(),
159+
config.continue_on_errors,
151160
)?;
152161

153162
if let Some(limit) = config.policy_evaluation_limit_seconds {

tests/common/mod.rs

+1
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ pub(crate) async fn app() -> Router {
9393
daemon_stdout_file: None,
9494
daemon_stderr_file: None,
9595
enable_pprof: true,
96+
continue_on_errors: true,
9697
};
9798

9899
let server = PolicyServer::new_from_config(config).await.unwrap();

0 commit comments

Comments
 (0)