Add support for policyDefaults.disabled

Signed-off-by: Will Kutler <[email protected]>

Author: willkutler

docs/policygenerator-reference.yaml

@@ -25,6 +25,9 @@ policyDefaults:
   # manifests being wrapped in the policy. If set to false, a configuration policy per manifest will
   # be generated. This defaults to true.
   consolidateManifests: true
+  # Optional. Determines whether the policy is enabled or disabled. A disabled policy will not be
+  # propagated to any managed clusters and will show no status as a result.
+  disabled: false
   # Optional. This is how often a policy should be evaluated when in a particular compliance state.
   # When managed clusters have low CPU resources, the evaluation interval can be increased to
   # to reduce CPU usage on the Kubernetes API.

internal/plugin.go

@@ -465,6 +465,13 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 			policy.ConsolidateManifests = p.PolicyDefaults.ConsolidateManifests
 		}
 
+		disabledValue, setDisabled := getPolicyBool(unmarshaledConfig, i, "disabled")
+		if setDisabled {
+			policy.Disabled = disabledValue
+		} else {
+			policy.Disabled = p.PolicyDefaults.Disabled
+		}
+
 		// Determine whether defaults are set for placement
 		plcDefaultSet := len(p.PolicyDefaults.Placement.LabelSelector) != 0 || p.PolicyDefaults.Placement.PlacementPath != ""
 		plrDefaultSet := len(p.PolicyDefaults.Placement.ClusterSelectors) != 0 || p.PolicyDefaults.Placement.PlacementRulePath != ""

internal/plugin_config_test.go

@@ -211,6 +211,7 @@ policies:
 	assertEqual(t, p.Metadata.Name, "policy-generator-name")
 	assertEqual(t, p.PlacementBindingDefaults.Name, "")
 	assertReflectEqual(t, p.PolicyDefaults.Categories, []string{"CM Configuration Management"})
+	assertEqual(t, p.PolicyDefaults.Disabled, false)
 	assertEqual(t, p.PolicyDefaults.ComplianceType, "musthave")
 	assertEqual(t, p.PolicyDefaults.MetadataComplianceType, "")
 	assertReflectEqual(t, p.PolicyDefaults.Controls, []string{"CM-2 Baseline Configuration"})
@@ -228,6 +229,7 @@ policies:
 
 	policy := p.Policies[0]
 	assertReflectEqual(t, policy.Categories, []string{"CM Configuration Management"})
+	assertEqual(t, policy.Disabled, false)
 	assertEqual(t, policy.ComplianceType, "musthave")
 	assertEqual(t, policy.MetadataComplianceType, "")
 	assertReflectEqual(t, policy.Controls, []string{"CM-2 Baseline Configuration"})
@@ -1127,3 +1129,46 @@ func TestPolicySetConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestDisabled(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createConfigMap(t, tmpDir, "configmap.yaml")
+	configMapPath := path.Join(tmpDir, "configmap.yaml")
+	defaultsConfig := fmt.Sprintf(
+		`
+apiVersion: policy.open-cluster-management.io/v1
+kind: PolicyGenerator
+metadata:
+  name: policy-generator-name
+policyDefaults:
+  namespace: my-policies
+  disabled: true
+policies:
+- name: policy-app-config
+  disabled: false
+  manifests:
+    - path: %s
+  namespaceSelector:
+    include:
+      - app-ns
+  remediationAction: inform
+- name: policy-app-config2
+  manifests:
+    - path: %s
+`,
+		configMapPath,
+		configMapPath,
+	)
+	p := Plugin{}
+	err := p.Config([]byte(defaultsConfig), tmpDir)
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	assertEqual(t, p.PolicyDefaults.Disabled, true)
+	enabledPolicy := p.Policies[0]
+	assertEqual(t, enabledPolicy.Disabled, false)
+	disabledPolicy := p.Policies[1]
+	assertEqual(t, disabledPolicy.Disabled, true)
+}

internal/types/types.go

@@ -66,6 +66,7 @@ type PolicyDefaults struct {
 	Severity                   string             `json:"severity,omitempty" yaml:"severity,omitempty"`
 	Standards                  []string           `json:"standards,omitempty" yaml:"standards,omitempty"`
 	ConsolidateManifests       bool               `json:"consolidateManifests,omitempty" yaml:"consolidateManifests,omitempty"`
+	Disabled                   bool               `json:"disabled,omitempty" yaml:"disabled,omitempty"`
 	InformGatekeeperPolicies   bool               `json:"informGatekeeperPolicies,omitempty" yaml:"informGatekeeperPolicies,omitempty"`
 	InformKyvernoPolicies      bool               `json:"informKyvernoPolicies,omitempty" yaml:"informKyvernoPolicies,omitempty"`
 	GeneratePlacementWhenInSet bool               `json:"generatePlacementWhenInSet,omitempty" yaml:"generatePlacementWhenInSet,omitempty"`