Skip to content

Log image reference when no-match-policy is set to warn or deny#1941

Merged
hectorj2f merged 1 commit intosigstore:mainfrom
falcorocks:log-no-match-policy-warn
Mar 20, 2026
Merged

Log image reference when no-match-policy is set to warn or deny#1941
hectorj2f merged 1 commit intosigstore:mainfrom
falcorocks:log-no-match-policy-warn

Conversation

@falcorocks
Copy link
Copy Markdown
Contributor

@falcorocks falcorocks commented Mar 5, 2026
edited
Loading

Summary

When no-match-policy is configured as warn or deny, the webhook does not produce any server-side log entry for images that don't match any ClusterImagePolicy:

  • warn: the warning is only returned client-side via the Kubernetes admission response (Warning: no matching policies: <image>), but nothing is logged in the webhook pod.
  • deny: the request is rejected but nothing is logged either.

This is inconsistent with CIP mode: warn, which logs Warnf("Failed to validate at least one policy for %s ...") in validateContainerImage when an image fails policy validation.

This PR adds log statements in both the WarnAll and DenyAll cases of setNoMatchingPoliciesError:

  • Errorf for deny (admission rejected)
  • Warnf for warn (admission allowed with warning)
ERROR  webhook/validator.go:375  no matching policies for image gcr.io/distroless/static:nonroot@sha256:...
WARN   webhook/validator.go:378  no matching policies for image gcr.io/distroless/static:nonroot@sha256:...

Test plan

  • Existing TestPolicyControllerConfigNoMatchPolicy passes
  • Errorf fires for deny case, Warnf fires for warn case in test output

@falcorocks falcorocks force-pushed the log-no-match-policy-warn branch from f97986d to e0dcb9f Compare March 5, 2026 14:51
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 5, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 30.00%. Comparing base (49e26b2) to head (550747e).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1941      +/-   ##
==========================================
+ Coverage   29.98%   30.00%   +0.01%     
==========================================
  Files         122      122              
  Lines        7323     7325       +2     
==========================================
+ Hits         2196     2198       +2     
  Misses       4894     4894              
  Partials      233      233

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@falcorocks falcorocks force-pushed the log-no-match-policy-warn branch 2 times, most recently from 92298f7 to 8348401 Compare March 5, 2026 15:00
@falcorocks falcorocks changed the title Log image reference when no-match-policy is set to warn Log image reference when no-match-policy is set to warn or deny Mar 5, 2026
@falcorocks falcorocks force-pushed the log-no-match-policy-warn branch 2 times, most recently from b840d41 to 331c7b6 Compare March 5, 2026 15:45
@hectorj2f
Copy link
Copy Markdown
Collaborator

hectorj2f commented Mar 19, 2026

@falcorocks please, rebase again!

@falcorocks
Copy link
Copy Markdown
Contributor Author

falcorocks commented Mar 19, 2026

@hectorj2f it's already rebased to the last available commit from main 03e7e49

@falcorocks
Log image reference when no-match-policy is set to warn or deny
550747e 
When no-match-policy is configured as "warn" or "deny", the webhook
does not produce any server-side log entry for images that don't match
any ClusterImagePolicy. For "warn", the warning is only returned
client-side via the admission response. For "deny", the request is
rejected but nothing is logged.

This makes it impossible to monitor or alert on unmatched images from
the webhook pod logs.

Add log statements in both the WarnAll and DenyAll cases of
setNoMatchingPoliciesError: Errorf for deny (admission rejected) and
Warnf for warn (admission allowed with warning).

Signed-off-by: falcorocks <14293929+falcorocks@users.noreply.github.com>
@falcorocks falcorocks force-pushed the log-no-match-policy-warn branch from 331c7b6 to 550747e Compare March 20, 2026 10:46
@falcorocks
Copy link
Copy Markdown
Contributor Author

falcorocks commented Mar 20, 2026

rebased now @hectorj2f

@hectorj2f hectorj2f merged commit 20e6dc8 into sigstore:main Mar 20, 2026
95 checks passed
@github-actions github-actions bot added this to the v1 milestone Mar 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1

Development

Successfully merging this pull request may close these issues.

2 participants

@falcorocks @hectorj2f