Skip to content

ci(cluster-policies): flip .policyignore to an allowlist#2485

Merged
devantler merged 1 commit into
mainfrom
claude/policyignore-allowlist
Jul 5, 2026
Merged

ci(cluster-policies): flip .policyignore to an allowlist#2485
devantler merged 1 commit into
mainfrom
claude/policyignore-allowlist

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Why

Upstream kyverno/policies added a new top-level policy category, and because .policyignore was a blocklist, the nightly policy sync leaked its fixture file into a red sync PR (#2483 — naming + Kubescape gate failures). Every future upstream category addition would break the same way.

What

Flips .policyignore to an allowlist: ignore everything upstream, re-include only the three policies the platform actually vendors. Verified by replaying the sync filter's exact matching logic against the full upstream tree — exactly the 3 vendored files survive.

After this merges, the next nightly sync regenerates an empty diff and #2483 closes itself.

Upstream kyverno/policies added a new top-level category
(job-timeout-enforcer/) that the blocklist-style .policyignore did not
match, so the nightly sync leaked its fixture file into a red sync PR
(naming-convention + Kubescape NSA gate failures). Any future upstream
category addition would break the same way.

Flip the file to an allowlist: ignore everything, re-include only the
three policies the platform vendors (the ones referenced from the
cluster-policies kustomization). Verified by replaying the sync
filter's exact last-match-wins logic against the full upstream tree:
exactly the 3 vendored files survive.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The .policyignore file was rewritten from a deny/allow mixed rule set to an allowlist approach. It now ignores all upstream content by default using a wildcard pattern and explicitly re-includes only three vendored policy YAML files across supported categories. The previous broad ignore patterns and exception entries were removed, reducing the file to header comments and the new allowlist rules.

Changes

Area Change
.policyignore Switched from blocklist to allowlist; added global ignore plus three explicit re-includes

Sequence Diagram(s)

No sequence diagram generated, as this change is a configuration-only update to ignore rules with no observable code flow.

Related Issues: No related issues found.

Related PRs: No related pull requests found.

Suggested labels: documentation, low-effort

Suggested reviewers: devantler

🐰
A wildcard sweeps the ignore list clean,
then three small files return to the scene,
allowlist reigns where blocklists once stood,
a tidier policy, understood!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: switching .policyignore to an allowlist for cluster policies.
Description check ✅ Passed The description is directly related to the changeset and explains the allowlist .policyignore fix and its impact.

Comment @coderabbitai help to get the list of available commands.

@devantler devantler marked this pull request as ready for review July 5, 2026 06:47
@devantler devantler added this pull request to the merge queue Jul 5, 2026
Merged via the queue into main with commit b31a583 Jul 5, 2026
15 checks passed
@devantler devantler deleted the claude/policyignore-allowlist branch July 5, 2026 07:21
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 5, 2026
@botantler-1

botantler-1 Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 1.100.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@botantler-1 botantler-1 Bot added the released label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

1 participant