Merge pull request #733 from fabriziosestito/fix/flag-continue-on-errors

fix: add hidden flag/env to toggle continuing on initialization errors

Author: fabriziosestito

src/cli.rs

@@ -165,6 +165,11 @@ pub(crate) fn build_cli() -> Command {
                 .env("KUBEWARDEN_ENABLE_PPROF")
                 .action(ArgAction::SetTrue)
                 .help("Enable pprof profiling"),
+            Arg::new("continue-on-errors")
+                .long("continue-on-errors")
+                .env("KUBEWARDEN_CONTINUE_ON_ERRORS")
+                .action(ArgAction::SetTrue)
+                .hide(true)
     ];
     args.sort_by(|a, b| a.get_id().cmp(b.get_id()));
 

src/config.rs

@@ -45,6 +45,7 @@ pub struct Config {
     pub daemon_pid_file: String,
     pub daemon_stdout_file: Option<String>,
     pub daemon_stderr_file: Option<String>,
+    pub continue_on_errors: bool,
 }
 
 pub struct TlsConfig {
@@ -137,6 +138,11 @@ impl Config {
             .expect("clap should have assigned a default value")
             .to_owned();
 
+        let continue_on_errors = matches
+            .get_one::<bool>("continue-on-errors")
+            .expect("clap should have assigned a default value")
+            .to_owned();
+
         Ok(Self {
             addr,
             sources,
@@ -158,6 +164,7 @@ impl Config {
             daemon_stdout_file,
             daemon_stderr_file,
             enable_pprof,
+            continue_on_errors,
         })
     }
 }

src/evaluation/evaluation_environment.rs

@@ -79,6 +79,7 @@ impl EvaluationEnvironment {
         always_accept_admission_reviews_on_namespace: Option<String>,
         policy_evaluation_limit_seconds: Option<u64>,
         callback_handler_tx: mpsc::Sender<CallbackRequest>,
+        continue_on_errors: bool,
     ) -> Result<Self> {
         let mut eval_env = Self {
             always_accept_admission_reviews_on_namespace,
@@ -114,7 +115,7 @@ impl EvaluationEnvironment {
                 )
                 .map_err(|e| EvaluationError::BootstrapFailure(e.to_string()))?;
 
-            eval_env.validate_settings(policy_id)?;
+            eval_env.validate_settings(policy_id, continue_on_errors)?;
         }
 
         Ok(eval_env)
@@ -236,7 +237,11 @@ impl EvaluationEnvironment {
     }
 
     /// Validate the settings the user provided for the given policy
-    fn validate_settings(&mut self, policy_id: &str) -> Result<()> {
+    fn validate_settings(
+        &mut self,
+        policy_id: &str,
+        continue_on_policy_initialization_errors: bool,
+    ) -> Result<()> {
         let settings = self.get_policy_settings(policy_id)?;
         let mut evaluator = self.rehydrate(policy_id)?;
 
@@ -249,13 +254,17 @@ impl EvaluationEnvironment {
                 valid: false,
                 message,
             } => {
-                self.policy_initialization_errors.insert(
-                    policy_id.to_string(),
-                    format!(
-                        "Policy settings are invalid: {}",
-                        message.unwrap_or("no message".to_owned())
-                    ),
+                let error_message = format!(
+                    "Policy settings are invalid: {}",
+                    message.unwrap_or("no message".to_owned())
                 );
+
+                if !continue_on_policy_initialization_errors {
+                    return Err(EvaluationError::PolicyInitialization(error_message));
+                }
+
+                self.policy_initialization_errors
+                    .insert(policy_id.to_string(), error_message.clone());
             }
         };
 
@@ -371,6 +380,7 @@ mod tests {
             None,
             None,
             callback_handler_tx,
+            true,
         )
     }
 

src/lib.rs

@@ -141,13 +141,22 @@ impl PolicyServer {
         let engine = wasmtime::Engine::new(&wasmtime_config)?;
         let precompiled_policies = precompile_policies(&engine, &fetched_policies);
 
+        if !config.continue_on_errors {
+            for result in precompiled_policies.values() {
+                if let Err(error) = result {
+                    return Err(anyhow!(error.to_string()));
+                }
+            }
+        }
+
         let evaluation_environment = EvaluationEnvironment::new(
             &engine,
             &config.policies,
             &precompiled_policies,
             config.always_accept_admission_reviews_on_namespace,
             config.policy_evaluation_limit_seconds,
             callback_sender_channel.clone(),
+            config.continue_on_errors,
         )?;
 
         if let Some(limit) = config.policy_evaluation_limit_seconds {

tests/common/mod.rs

@@ -93,6 +93,7 @@ pub(crate) async fn app() -> Router {
         daemon_stdout_file: None,
         daemon_stderr_file: None,
         enable_pprof: true,
+        continue_on_errors: true,
     };
 
     let server = PolicyServer::new_from_config(config).await.unwrap();