From 6933a8d600ff1b32538b30f91c38d311ed81ad8a Mon Sep 17 00:00:00 2001
From: Paul Brissaud <pbrissaud.pro@gmail.com>
Date: Sun, 25 Jan 2026 20:28:40 +0100
Subject: [PATCH] fix: env-config validation type and partial-outage bypass
 protection

env-config:
- Change validation type from `condition` to `status` (valid type)
- Remove spoiler comment showing exact solution in deployment.yaml

partial-outage:
- Fix Kyverno policy to properly block DELETE operations on deny-all NetworkPolicy
- Use correct syntax with operations: ["DELETE"] in match block
- Users must now add ingress rules instead of deleting the policy

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 env-config/challenge.yaml                     |  2 +-
 env-config/manifests/deployment.yaml          |  7 -------
 .../avoid-deleting-egress-policy.yaml         | 20 ++++++++++++-------
 3 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/env-config/challenge.yaml b/env-config/challenge.yaml
index 913cbef..0f99275 100644
--- a/env-config/challenge.yaml
+++ b/env-config/challenge.yaml
@@ -38,7 +38,7 @@ objectives:
     title: "App Running"
     description: "The application must be running and healthy"
     order: 2
-    type: condition
+    type: status
     spec:
       target:
         kind: Pod
diff --git a/env-config/manifests/deployment.yaml b/env-config/manifests/deployment.yaml
index 4eeedac..282ad27 100644
--- a/env-config/manifests/deployment.yaml
+++ b/env-config/manifests/deployment.yaml
@@ -40,13 +40,6 @@ spec:
                 echo "App is healthy - $(date)"
                 sleep 30
               done
-          # NOTE: Environment variables need to be added here from a ConfigMap
-          # env:
-          #   - name: APP_NAME
-          #     valueFrom:
-          #       configMapKeyRef:
-          #         name: app-config
-          #         key: app_name
           resources:
             requests:
               cpu: "25m"
diff --git a/partial-outage/policies/avoid-deleting-egress-policy.yaml b/partial-outage/policies/avoid-deleting-egress-policy.yaml
index 1b637ea..9894403 100644
--- a/partial-outage/policies/avoid-deleting-egress-policy.yaml
+++ b/partial-outage/policies/avoid-deleting-egress-policy.yaml
@@ -1,17 +1,23 @@
 apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
-  name: avoid-deny-delete-networkpolicy
+  name: protect-deny-all-networkpolicy
   annotations:
     argocd.argoproj.io/sync-wave: "2"
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
+  background: false
   rules:
     - name: block-delete-deny-all
       match:
-        resources:
-          kinds: ["NetworkPolicy"]
-          names: ["deny-all"]
+        any:
+          - resources:
+              kinds:
+                - NetworkPolicy
+              names:
+                - deny-all
+              operations:
+                - DELETE
       validate:
-        message: "You are not allowed to delete the default NetworkPolicy"
-        deny: {}
\ No newline at end of file
+        message: "Deleting the deny-all NetworkPolicy is not allowed. Add ingress rules instead."
+        deny: {}