kyverno/pkg/validation/exception/validate.go

package exception

import (
	"context"

	"github.com/go-logr/logr"
)

const (
	namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
	disabledPolex       = "PolicyException resources would not be processed until it is enabled."
	polexNamespaceFlag  = "The exceptionNamespace flag is not set"
)

type ValidationOptions struct {
	Enabled   bool
	Namespace string
}

// Validate checks policy exception is valid
func ValidateNamespace(ctx context.Context, logger logr.Logger, polexNs string, opts ValidationOptions) []string {
	var warnings []string
	if !opts.Enabled {
		warnings = append(warnings, disabledPolex)
	} else if opts.Namespace == "" {
		warnings = append(warnings, polexNamespaceFlag)
	} else if opts.Namespace != "*" && opts.Namespace != polexNs {
		warnings = append(warnings, namespacesDontMatch)
	}
	return warnings
}
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-15 09:34:44 +01:00			`package exception`

			`import (`
			`"context"`

			`"github.com/go-logr/logr"`
			`)`

validate polex activation and namespace (#6046) * validate polex activation and namespace Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options to handler Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * replace pointer Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove exceptionoption argument Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove nested if Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * revert change Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix line Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options differently Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push update Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * move struct Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Update pkg/validation/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * fix Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add unit test Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove lines Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix error Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2023-01-23 10:48:54 +01:00			`const (`
			`namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."`
			`disabledPolex = "PolicyException resources would not be processed until it is enabled."`
fix[breaking]: disable exceptions by default (#11426) * fix[breaking]: disable exceptions by default Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: add warning in helm chart for exceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2024-10-22 09:07:11 +03:00			`polexNamespaceFlag = "The exceptionNamespace flag is not set"`
validate polex activation and namespace (#6046) * validate polex activation and namespace Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options to handler Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * replace pointer Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove exceptionoption argument Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove nested if Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * revert change Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix line Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options differently Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push update Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * move struct Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Update pkg/validation/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * fix Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add unit test Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove lines Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix error Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2023-01-23 10:48:54 +01:00			`)`

			`type ValidationOptions struct {`
			`Enabled bool`
			`Namespace string`
			`}`

feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-15 09:34:44 +01:00			`// Validate checks policy exception is valid`
feat: validate CELPolicyExceptions (#12083) * feat: validate CELPolicyExceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: add cel-policy-exceptions tests in the CI Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2025-02-05 17:01:11 +02:00			`func ValidateNamespace(ctx context.Context, logger logr.Logger, polexNs string, opts ValidationOptions) []string {`
validate polex activation and namespace (#6046) * validate polex activation and namespace Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options to handler Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * replace pointer Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove exceptionoption argument Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove nested if Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * revert change Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix line Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options differently Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push update Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * move struct Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Update pkg/validation/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * fix Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add unit test Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove lines Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix error Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2023-01-23 10:48:54 +01:00			`var warnings []string`
			`if !opts.Enabled {`
			`warnings = append(warnings, disabledPolex)`
fix[breaking]: disable exceptions by default (#11426) * fix[breaking]: disable exceptions by default Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix: add warning in helm chart for exceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2024-10-22 09:07:11 +03:00			`} else if opts.Namespace == "" {`
			`warnings = append(warnings, polexNamespaceFlag)`
feat: validate CELPolicyExceptions (#12083) * feat: validate CELPolicyExceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: add cel-policy-exceptions tests in the CI Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2025-02-05 17:01:11 +02:00			`} else if opts.Namespace != "*" && opts.Namespace != polexNs {`
validate polex activation and namespace (#6046) * validate polex activation and namespace Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options to handler Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * replace pointer Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove exceptionoption argument Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove nested if Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * revert change Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix line Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options differently Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push update Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * move struct Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Update pkg/validation/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * fix Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add unit test Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove lines Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix error Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> 2023-01-23 10:48:54 +01:00			`warnings = append(warnings, namespacesDontMatch)`
			`}`
feat: validate CELPolicyExceptions (#12083) * feat: validate CELPolicyExceptions Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: add cel-policy-exceptions tests in the CI Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2025-02-05 17:01:11 +02:00			`return warnings`
feat: add policy exception validation webhook (#5679) * feat: add policy exception validation webhook Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * handler Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * validation Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2022-12-15 09:34:44 +01:00			`}`