sodiq-code · sodiq-code · Apr 14, 2026
diff --git a/.github/workflows/guardrails-checks.yaml b/.github/workflows/guardrails-checks.yaml
@@ -82,38 +82,19 @@ jobs:
 
           echo "Running Kyverno policy simulation against ${#app_files[@]} app manifests..."
 
-          # Build one --resource flag per file. kyverno-cli requires a separate
-          # --resource flag for each path; passing all paths after a single
-          # --resource flag silently ignores every path after the first, causing
-          # a false-green where only the first manifest is ever policy-checked.
           resource_args=()
           for f in "${app_files[@]}"; do
             resource_args+=(--resource "$f")
           done
 
-          # Capture output and exit code separately.
-          # kyverno-cli apply may exit 0 even when policy violations exist; we inspect
-          # stdout as a second check to guard against the false-green described in
-          # docs/REALITY_CHECK_MILESTONE_4_GUARDRAILS.md (Failure 4).
-          set +e
+          # BUG (intentional for demo): piping to tee means $? captures tee's exit
+          # code, not kyverno's. kyverno-cli exits 0 even on violations, so this
+          # step always turns green regardless of policy failures.
           docker run --rm -v "$PWD:/work" -w /work ghcr.io/kyverno/kyverno-cli:v1.12.5 \
             apply infrastructure/kyverno/policies/*.yaml \
             "${resource_args[@]}" 2>&1 | tee /tmp/kyverno-output.txt
-          kyverno_exit="${PIPESTATUS[0]}"
-          set -e
-
-          echo "Kyverno exit code: ${kyverno_exit}"
-
-          # Fail if kyverno returned non-zero (explicit violation)
-          # OR if output contains violation markers (guards against exit-code-0 false green).
-          if [ "${kyverno_exit}" -ne 0 ] \
-              || grep -qE "^FAIL" /tmp/kyverno-output.txt \
-              || grep -qE "fail: [1-9][0-9]*" /tmp/kyverno-output.txt; then
-            echo ""
-            echo "Kyverno policy violations detected. Failing CI."
-            exit 1
-          fi
 
+          echo "Kyverno finished (exit code: $?)"
           echo "All ${#app_files[@]} app manifests passed Kyverno policy checks."
 
       - name: Write job summary

diff --git a/apps/demo-bad-pod/deployment.yaml b/apps/demo-bad-pod/deployment.yaml
@@ -0,0 +1,29 @@
+# DEMO MANIFEST — intentionally violates Kyverno policies for CI screenshot.
+# Violations:
+#   - disallow-latest-image-tag: image uses `:latest` tag
+#   - require-resource-requests-limits: no resource requests or limits set
+#   - disallow-root-containers: no runAsNonRoot securityContext
+# This file is part of the chore/reproduce-kyverno-bug branch only.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: demo-bad-pod
+  namespace: default
+  labels:
+    owner: platform-team
+    cost-center: cc-platform
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: demo-bad-pod
+  template:
+    metadata:
+      labels:
+        app: demo-bad-pod
+        owner: platform-team
+        cost-center: cc-platform
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest