Updating exceptions for disallow-latest-and-main-tag and neuvector labels
What does this MR do and why?
This MR is updating the label used for excepting disallow-latest-and-main-tag policy. By using a single label for all exceptions we decouple managing VAP from the objects ( excepted deployment/cronjob/pod). This label is applied to neuvector-scanner-pod deployment and to neuvector-updater-pod cronjob.
Related reference(s)
Test coverage
kubectl get validatingadmissionpolicybinding disallow-latest-and-main-tag -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
creationTimestamp: "2025-04-25T15:05:35Z"
generation: 1
labels:
kustomize.toolkit.fluxcd.io/name: validating-admission-policies
kustomize.toolkit.fluxcd.io/namespace: sylva-system
name: disallow-latest-and-main-tag
resourceVersion: "3101"
uid: 90741620-d9b0-4477-a107-b8bb430e3fb8
spec:
matchResources:
matchPolicy: Equivalent
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: tag-validating-policy.sylva.io
operator: NotIn
values:
- excluded
policyName: disallow-latest-and-main-tag
validationActions:
- Deny
kubectl -n neuvector get deployments neuvector-scanner-pod -o jsonpath='{.metadata.labels} {.spec.template.metadata.labels}'
{"app.kubernetes.io/managed-by":"Helm","chart":"core-2.8.3","helm.toolkit.fluxcd.io/name":"neuvector","helm.toolkit.fluxcd.io/namespace":"sylva-system","release":"neuvector","tag-validating-policy.sylva.io":"excluded"} {"app":"neuvector-scanner-pod","tag-validating-policy.sylva.io":"excluded"}%
➜ kubectl -n neuvector get cronjobs neuvector-updater-pod -o jsonpath='{.metadata.labels} {.spec.jobTemplate.spec.template.metadata.labels}'
{"app.kubernetes.io/managed-by":"Helm","chart":"core-2.8.3","helm.toolkit.fluxcd.io/name":"neuvector","helm.toolkit.fluxcd.io/namespace":"sylva-system","release":"neuvector","tag-validating-policy.sylva.io":"excluded"} {"app":"neuvector-updater-pod","release":"neuvector","tag-validating-policy.sylva.io":"excluded"}% CI configuration
Below you can choose test deployment variants to run in this MR's CI.
Click to open to CI configuration
Legend:
| Icon | Meaning | Available values |
|---|---|---|
| Infra Provider |
capd, capo, capm3
|
|
| Bootstrap Provider |
kubeadm (alias kadm), rke2
|
|
| Node OS |
ubuntu, suse
|
|
| Deployment Options |
light-deploy, dev-sources, ha, misc, maxsurge-0, logging
|
|
| Pipeline Scenarios | Available scenario list and description |
-
🎬 preview☁️ capd🚀 kadm🐧 ubuntu -
🎬 preview☁️ capo🚀 rke2🐧 suse -
🎬 preview☁️ capm3🚀 rke2🐧 ubuntu -
☁️ capd🚀 kadm🛠️ light-deploy🐧 ubuntu -
☁️ capd🚀 rke2🛠️ light-deploy🐧 suse -
☁️ capo🚀 rke2🐧 suse -
☁️ capo🚀 kadm🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capo🚀 kadm🎬 wkld-k8s-upgrade🐧 ubuntu -
☁️ capo🚀 rke2🎬 rolling-update-no-wkld🛠️ ha,misc🐧 suse -
☁️ capo🚀 rke2🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🐧 suse -
☁️ capm3🚀 kadm🐧 ubuntu -
☁️ capm3🚀 kadm🎬 rolling-update-no-wkld🛠️ ha,misc🐧 ubuntu -
☁️ capm3🚀 rke2🎬 wkld-k8s-upgrade🛠️ ha🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 ubuntu -
☁️ capm3🚀 rke2🛠️ misc,ha🐧 suse -
☁️ capm3🚀 kadm🎬 rolling-update🛠️ ha🐧 suse
Global config for deployment pipelines
-
autorun pipelines -
allow failure on pipelines -
record sylvactl events
Notes:
- Enabling
autorunwill make deployment pipelines to be run automatically without human interaction - Disabling
allow failurewill make deployment pipelines mandatory for pipeline success. - if both
autorunandallow failureare disabled, deployment pipelines will need manual triggering but will be blocking the pipeline
Be aware: after configuration change, pipeline is not triggered automatically.
Please run it manually (by clicking the run pipeline button in Pipelines tab) or push new code.
Linked to #2340 (closed)