Skip to content

feat(vulnerability-policy): add admission control stage #677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(vulnerability-policy): add admission control stage #677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b6c902e
feat(vulnerability-policy): add admission control stage
tembleking Nov 5, 2025
b397eab
docs(vulnerability-policy): add admission control stage documentation
tembleking Nov 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion sysdig/internal/client/v2/vulnerability_policy_model.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,7 @@ type Stage struct {
}

type Configuration struct {
Scope string `json:"scope"`
Scope string `json:"scope"`
Behaviour string `json:"behaviour,omitempty"`
UnknownImageAction string `json:"unknownImageAction,omitempty"`
}
27 changes: 26 additions & 1 deletion sysdig/resource_sysdig_secure_vulnerability_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource {
"pipeline",
"registry",
"runtime",
"admission_control",
}, false)),
},
"configuration": {
Expand All @@ -79,6 +80,18 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource {
Required: true,
Description: "Scope expression for this stage",
},
"failure_action": {
Type: schema.TypeString,
Optional: true,
Description: "Required for `admission_control` stage only. Policy Failure Action. What should happen if the policy fails (aka: there's a rule vioation)",
ValidateFunc: validation.StringInSlice([]string{"reject", "warn"}, false),
},
"unknown_image_action": {
Type: schema.TypeString,
Optional: true,
Description: "Required for `admission_control` stage only. Unknown Image Action. What should happen if the image is unknown.",
ValidateFunc: validation.StringInSlice([]string{"reject", "rejectAndScan", "warn"}, false),
},
},
},
},
Expand Down Expand Up @@ -193,6 +206,14 @@ func vulnerabilityPolicyStagesToMap(policyStages []v2.Stage) []map[string]any {
newConfig := map[string]any{
"scope": stageconfig.Scope,
}

if stageconfig.Behaviour != "" {
newConfig["failure_action"] = stageconfig.Behaviour
}

if stageconfig.UnknownImageAction != "" {
newConfig["unknown_image_action"] = stageconfig.UnknownImageAction
}
configsMap = append(configsMap, newConfig)
}

Expand Down Expand Up @@ -297,7 +318,11 @@ func vulnerabilityPolicyConfigsFromSet(set *schema.Set) []v2.Configuration {
for _, raw := range set.List() {
rawMap := raw.(map[string]any)

out = append(out, v2.Configuration{Scope: rawMap["scope"].(string)})
out = append(out, v2.Configuration{
Scope: rawMap["scope"].(string),
Behaviour: rawMap["failure_action"].(string),
UnknownImageAction: rawMap["unknown_image_action"].(string),
})
}

return out
Expand Down
10 changes: 9 additions & 1 deletion sysdig/resource_sysdig_secure_vulnerability_policy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func TestAccVulnerabilityPolicy(t *testing.T) {
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.#", "2"),
resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.0", "1"),
resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "3"),
resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "4"),
),
},
{
Expand Down Expand Up @@ -90,6 +90,14 @@ resource "sysdig_secure_vulnerability_policy" "sample" {
scope = "agent.tag.cluster = \"my-cluster\""
}
}
stages {
name = "admission_control"
configuration {
scope = "agent.tag.cluster = \"my-cluster\""
failure_action = "reject"
unknown_image_action = "rejectAndScan"
}
}
}
`, suffix, suffix, suffix)
}
13 changes: 12 additions & 1 deletion website/docs/r/secure_vulnerability_policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,15 @@ resource "sysdig_secure_vulnerability_policy" "vulnerability_policy_example" {
scope = "container.image != ''"
}
}

stages {
name = "admission_control"
configuration {
scope = "kubernetes.cluster.name = 'my-cluster'"
failure_action = "reject"
unknown_image_action = "rejectAndScan"
}
}
}
```

Expand All @@ -38,12 +47,14 @@ resource "sysdig_secure_vulnerability_policy" "vulnerability_policy_example" {

### Stages block

* `name` - (Required) Must be one of `pipeline`, `registry`, or `runtime`.
* `name` - (Required) Must be one of `pipeline`, `registry`, `runtime`, or `admission_control`.
* `configuration` - (Optional) Configuration block for the stage. If no configuration is provided, it will apply to any workload in this stage.

### Configuration block

* `scope` - (Required) Scope expression defining the stage applicability.
* `failure_action` - (Optional) Required for `admission_control` stage only. Policy Failure Action. What should happen if the policy fails (aka: there's a rule vioation). Must be one of `reject` or `warn`.
* `unknown_image_action` - (Optional) Required for `admission_control` stage only. Unknown Image Action. What should happen if the image is unknown. Must be one of `reject`, `rejectAndScan`, or `warn`.

## Attributes Reference

Expand Down
Loading