From 05dc869709db753fe1799568420e95fe889941b6 Mon Sep 17 00:00:00 2001 From: Nikolai Emil Damm Date: Sun, 5 Jul 2026 03:19:50 +0200 Subject: [PATCH] ci(cluster-policies): flip .policyignore to an allowlist Upstream kyverno/policies added a new top-level category (job-timeout-enforcer/) that the blocklist-style .policyignore did not match, so the nightly sync leaked its fixture file into a red sync PR (naming-convention + Kubescape NSA gate failures). Any future upstream category addition would break the same way. Flip the file to an allowlist: ignore everything, re-include only the three policies the platform vendors (the ones referenced from the cluster-policies kustomization). Verified by replaying the sync filter's exact last-match-wins logic against the full upstream tree: exactly the 3 vendored files survive. Co-Authored-By: Claude Fable 5 --- .policyignore | 53 +++++++++++---------------------------------------- 1 file changed, 11 insertions(+), 42 deletions(-) diff --git a/.policyignore b/.policyignore index e37fe2601..3cc4a64fa 100644 --- a/.policyignore +++ b/.policyignore @@ -1,45 +1,14 @@ -*.chainsaw-test* -*.kyverno-test -*artifact-hub.y*ml -*artifacthub-pkg.y*ml -*kustomization.yaml -*README.md -_step-templates* -argo* -aws* -best-practices-cel* -best-practices* +# Allowlist: ignore EVERYTHING from upstream kyverno/policies, then re-include +# only the policies this platform vendors (each also referenced from +# k8s/bases/infrastructure/cluster-policies/kustomization.yaml). +# +# The sync filter (actions' sync-cluster-policies.yaml) evaluates every file +# against these patterns in order, last match wins, `!` re-includes — so a new +# upstream top-level category can never leak into a sync PR again (the old +# blocklist broke exactly that way when upstream added job-timeout-enforcer/). +# To adopt a new upstream policy, add a `!//.yaml` +# line here and reference it from the kustomization. +* !best-practices/add-ns-quota/add-ns-quota.yaml -castai* -cert-manager* -cleanup* -consul* -cost-optimization* -external-secret-operator* -flux-cel* -flux* -istio* -karpenter* -kasten* -kubecost-cel* -kubecost* -kubeops* -kubevirt* -linkerd* -nginx* -openshift* -other-cel* -other* !other/create-pod-antiaffinity/create-pod-antiaffinity.yaml !other/spread-pods-across-topology/spread-pods-across-topology.yaml -pod-security-cel* -pod-security* -psa-cel* -psa* -psp-migration-cel* -psp-migration* -tekton* -traefik-cel* -traefik* -velero* -windows-security*