Add default failure policy flag

Copilot · JaydipGabani · web-flow · commit a170a2a04728 · 2026-05-16T00:22:09.000Z
Agent-Logs-Url: https://github.com/open-policy-agent/gatekeeper/sessions/d4a5e66c-314f-4cec-9b97-cec82e05f12f Co-authored-by: JaydipGabani <20255485+JaydipGabani@users.noreply.github.com>
diff --git a/pkg/drivers/k8scel/schema/schema.go b/pkg/drivers/k8scel/schema/schema.go
@@ -1,6 +1,7 @@
 package schema
 
 import (
+	"flag"
 	"fmt"
 	"strings"
 
@@ -13,6 +14,8 @@ import (
 	"k8s.io/apiserver/pkg/admission/plugin/webhook/matchconditions"
 )
 
+var DefaultFailurePolicy = flag.String("default-failure-policy", string(admissionv1.Fail), "(beta) Failure policy to use when a K8sNativeValidation source omits failurePolicy. Allowed values are Fail or Ignore.")
+
 const (
 	// Name is the name of the driver.
 	Name = "K8sNativeValidation"
@@ -197,38 +200,40 @@ func (in *Source) GetMessageExpressions() ([]cel.ExpressionAccessor, error) {
 }
 
 func (in *Source) GetFailurePolicy() (*admissionv1.FailurePolicyType, error) {
-	if in.FailurePolicy == nil {
-		return nil, nil
+	failurePolicy := in.FailurePolicy
+	if failurePolicy == nil {
+		failurePolicy = DefaultFailurePolicy
 	}
 
 	var out admissionv1.FailurePolicyType
 
-	switch *in.FailurePolicy {
+	switch *failurePolicy {
 	case string(admissionv1.Fail):
 		out = admissionv1.Fail
 	case string(admissionv1.Ignore):
 		out = admissionv1.Ignore
 	default:
-		return nil, fmt.Errorf("%w: unrecognized failure policy: %s", ErrBadFailurePolicy, *in.FailurePolicy)
+		return nil, fmt.Errorf("%w: unrecognized failure policy: %s", ErrBadFailurePolicy, *failurePolicy)
 	}
 
 	return &out, nil
 }
 
 func (in *Source) GetV1Beta1FailurePolicy() (*admissionv1beta1.FailurePolicyType, error) {
-	var out admissionv1beta1.FailurePolicyType
-	if in.FailurePolicy == nil {
-		out = admissionv1beta1.Fail
-		return &out, nil
+	failurePolicy := in.FailurePolicy
+	if failurePolicy == nil {
+		failurePolicy = DefaultFailurePolicy
 	}
 
-	switch *in.FailurePolicy {
+	var out admissionv1beta1.FailurePolicyType
+
+	switch *failurePolicy {
 	case string(admissionv1.Fail):
 		out = admissionv1beta1.Fail
 	case string(admissionv1.Ignore):
 		out = admissionv1beta1.Ignore
 	default:
-		return nil, fmt.Errorf("%w: unrecognized failure policy: %s", ErrBadFailurePolicy, *in.FailurePolicy)
+		return nil, fmt.Errorf("%w: unrecognized failure policy: %s", ErrBadFailurePolicy, *failurePolicy)
 	}
 
 	return &out, nil
diff --git a/pkg/drivers/k8scel/schema/schema_test.go b/pkg/drivers/k8scel/schema/schema_test.go
@@ -6,6 +6,8 @@ import (
 	"testing"
 
 	"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
+	admissionv1 "k8s.io/api/admissionregistration/v1"
+	admissionv1beta1 "k8s.io/api/admissionregistration/v1beta1"
 	"k8s.io/utils/ptr"
 )
 
@@ -182,6 +184,42 @@ func TestValidationErrors(t *testing.T) {
 	}
 }
 
+func TestDefaultFailurePolicy(t *testing.T) {
+	original := *DefaultFailurePolicy
+	t.Cleanup(func() { *DefaultFailurePolicy = original })
+
+	source := &Source{}
+	*DefaultFailurePolicy = string(admissionv1.Ignore)
+
+	failurePolicy, err := source.GetFailurePolicy()
+	if err != nil {
+		t.Fatalf("GetFailurePolicy() returned an unexpected error: %v", err)
+	}
+	if failurePolicy == nil || *failurePolicy != admissionv1.Ignore {
+		t.Fatalf("GetFailurePolicy() = %v, want %s", failurePolicy, admissionv1.Ignore)
+	}
+
+	v1beta1FailurePolicy, err := source.GetV1Beta1FailurePolicy()
+	if err != nil {
+		t.Fatalf("GetV1Beta1FailurePolicy() returned an unexpected error: %v", err)
+	}
+	if v1beta1FailurePolicy == nil || *v1beta1FailurePolicy != admissionv1beta1.Ignore {
+		t.Fatalf("GetV1Beta1FailurePolicy() = %v, want %s", v1beta1FailurePolicy, admissionv1beta1.Ignore)
+	}
+}
+
+func TestDefaultFailurePolicyIsValidated(t *testing.T) {
+	original := *DefaultFailurePolicy
+	t.Cleanup(func() { *DefaultFailurePolicy = original })
+
+	source := &Source{}
+	*DefaultFailurePolicy = "Unsupported"
+
+	if err := source.Validate(); !errors.Is(err, ErrBadFailurePolicy) {
+		t.Fatalf("Validate() error = %v, want %v", err, ErrBadFailurePolicy)
+	}
+}
+
 func TestHasCELEngine(t *testing.T) {
 	tests := []struct {
 		name     string
diff --git a/pkg/drivers/k8scel/transform/make_vap_objects_test.go b/pkg/drivers/k8scel/transform/make_vap_objects_test.go
@@ -243,6 +243,57 @@ func TestTemplateToPolicyDefinition(t *testing.T) {
 	}
 }
 
+func TestTemplateToPolicyDefinitionUsesDefaultFailurePolicy(t *testing.T) {
+	original := *schema.DefaultFailurePolicy
+	t.Cleanup(func() { *schema.DefaultFailurePolicy = original })
+	*schema.DefaultFailurePolicy = string(admissionregistrationv1.Ignore)
+
+	source := &schema.Source{
+		Validations: []schema.Validation{
+			{
+				Expression: "true",
+				Message:    "always passes",
+			},
+		},
+	}
+	rawSrc, err := runtime.DefaultUnstructuredConverter.ToUnstructured(source)
+	if err != nil {
+		t.Fatalf("unexpected error converting source to unstructured: %v", err)
+	}
+	template := &templates.ConstraintTemplate{
+		ObjectMeta: metav1.ObjectMeta{Name: "somepolicy"},
+		Spec: templates.ConstraintTemplateSpec{
+			CRD: templates.CRD{
+				Spec: templates.CRDSpec{
+					Names: templates.Names{
+						Kind: "SomePolicy",
+					},
+				},
+			},
+			Targets: []templates.Target{
+				{
+					Code: []templates.Code{
+						{
+							Engine: schema.Name,
+							Source: &templates.Anything{
+								Value: rawSrc,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	policy, err := TemplateToPolicyDefinition(template)
+	if err != nil {
+		t.Fatalf("TemplateToPolicyDefinition() returned an unexpected error: %v", err)
+	}
+	if policy.Spec.FailurePolicy == nil || *policy.Spec.FailurePolicy != admissionregistrationv1beta1.Ignore {
+		t.Fatalf("FailurePolicy = %v, want %s", policy.Spec.FailurePolicy, admissionregistrationv1beta1.Ignore)
+	}
+}
+
 func TestTemplateToPolicyDefinitionWithWebhookConfig(t *testing.T) {
 	baseSource := &schema.Source{
 		FailurePolicy: ptr.To[string]("Fail"),
diff --git a/website/docs/runtime-flags.md b/website/docs/runtime-flags.md
@@ -37,6 +37,7 @@ The following flags can be used to configure Gatekeeper's runtime behavior:
 | `--log-stats-audit`                            | `false`                                         | (alpha) Log stats metrics for the audit run.                                                                                                                                                                                                                                                                                  |
 | `--default-create-vap-binding-for-constraints` | `true`                                         | (beta) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.                                                                                             |
 | `--default-create-vap-for-templates`           | `true`                                         | (beta) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. |
+| `--default-failure-policy`                     | `Fail`                                         | (beta) Failure policy to use when a K8sNativeValidation source omits failurePolicy. Allowed values are Fail or Ignore.                                                                                                                                       |
 | `--default-wait-for-vapb-generation`           | `30`                                            | (beta) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created.                                                                                                                                                                                                          |
 | `--debug-use-fake-pod`                         | `false`                                         | Use a fake pod name so the Gatekeeper executable can be run outside of Kubernetes.                                                                                                                                                                                                                                            |
 | `--enable-violation-export`                    | `false`                                         | (alpha) Enable exporting violations to external systems.                                                                                                                                                                                                                                                                      |
diff --git a/website/docs/validating-admission-policy.md b/website/docs/validating-admission-policy.md
@@ -120,6 +120,8 @@ For some policies, you may want admission requests to be handled by the K8s Vali
 The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper 
 `--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `true` now that the feature is in beta.
 
+If a K8sNativeValidation source omits `failurePolicy`, Gatekeeper uses `--default-failure-policy`, which defaults to `Fail`, for both Gatekeeper's CEL evaluation and generated VAP resources.
+
 To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template. 
 
 ```yaml
diff --git a/website/versioned_docs/version-v3.22.x/runtime-flags.md b/website/versioned_docs/version-v3.22.x/runtime-flags.md
@@ -37,6 +37,7 @@ The following flags can be used to configure Gatekeeper's runtime behavior:
 | `--log-stats-audit`                            | `false`                                         | (alpha) Log stats metrics for the audit run.                                                                                                                                                                                                                                                                                  |
 | `--default-create-vap-binding-for-constraints` | `true`                                         | (beta) Create VAPBinding resource for constraint of the template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy Binding, true: create Validating Admission Policy Binding.                                                                                             |
 | `--default-create-vap-for-templates`           | `true`                                         | (beta) Create VAP resource for template containing VAP-style CEL source. Allowed values are false: do not create Validating Admission Policy unless generateVAP: true is set on constraint template explicitly, true: create Validating Admission Policy unless generateVAP: false is set on constraint template explicitly. |
+| `--default-failure-policy`                     | `Fail`                                         | (beta) Failure policy to use when a K8sNativeValidation source omits failurePolicy. Allowed values are Fail or Ignore.                                                                                                                                       |
 | `--default-wait-for-vapb-generation`           | `30`                                            | (beta) Wait time in seconds before generating a ValidatingAdmissionPolicyBinding after a constraint CRD is created.                                                                                                                                                                                                          |
 | `--debug-use-fake-pod`                         | `false`                                         | Use a fake pod name so the Gatekeeper executable can be run outside of Kubernetes.                                                                                                                                                                                                                                            |
 | `--enable-violation-export`                    | `false`                                         | (alpha) Enable exporting violations to external systems.                                                                                                                                                                                                                                                                      |
diff --git a/website/versioned_docs/version-v3.22.x/validating-admission-policy.md b/website/versioned_docs/version-v3.22.x/validating-admission-policy.md
@@ -120,6 +120,8 @@ For some policies, you may want admission requests to be handled by the K8s Vali
 The K8s Validating Admission Controller requires both the Validating Admission Policy (VAP) and Validating Admission Policy Binding (VAPB) resources to exist to enforce a policy. Gatekeeper can be configured to generate both of these resources. To generate VAP Bindings for all Constraints, ensure the Gatekeeper 
 `--default-create-vap-binding-for-constraints` flag is set to `true`. To generate VAP as part of all Constraint Templates with the VAP CEL engine `K8sNativeValidation`, ensure the Gatekeeper `--default-create-vap-for-templates=true` flag is set to `true`. By default both flags are set to `true` now that the feature is in beta.
 
+If a K8sNativeValidation source omits `failurePolicy`, Gatekeeper uses `--default-failure-policy`, which defaults to `Fail`, for both Gatekeeper's CEL evaluation and generated VAP resources.
+
 To override the `--default-create-vap-for-templates` flag's behavior for a constraint template, set `generateVAP` to `true` explicitly under the K8sNativeValidation engine's `source` in the constraint template. 
 
 ```yaml
