2021-03-11 20:06:04 +00:00
|
|
|
package engine
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"testing"
|
|
|
|
|
2023-02-09 15:15:51 +00:00
|
|
|
"github.com/go-logr/logr"
|
2021-10-29 16:13:20 +00:00
|
|
|
kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
|
2021-03-11 20:06:04 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/engine/context"
|
2023-01-03 12:02:15 +00:00
|
|
|
kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
|
2021-03-11 20:06:04 +00:00
|
|
|
"gotest.tools/assert"
|
2021-04-28 20:12:44 +00:00
|
|
|
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
|
2021-03-11 20:06:04 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var rawPolicy = []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
|
|
|
"name": "add-label"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "add-name-label",
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
2022-01-05 01:36:33 +00:00
|
|
|
"patchStrategicMerge": {
|
2021-03-11 20:06:04 +00:00
|
|
|
"metadata": {
|
|
|
|
"labels": {
|
|
|
|
"appname": "{{request.object.metadata.name}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
var rawResource = []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "check-root-user"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"name": "check-root-user",
|
|
|
|
"image": "nginxinc/nginx-unprivileged",
|
|
|
|
"securityContext": {
|
|
|
|
"runAsNonRoot": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
func Test_ForceMutateSubstituteVars(t *testing.T) {
|
|
|
|
expectedRawResource := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "check-root-user",
|
|
|
|
"labels": {
|
|
|
|
"appname": "check-root-user"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"name": "check-root-user",
|
|
|
|
"image": "nginxinc/nginx-unprivileged",
|
|
|
|
"securityContext": {
|
|
|
|
"runAsNonRoot": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
var expectedResource interface{}
|
|
|
|
assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource))
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-01-03 12:02:15 +00:00
|
|
|
resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
|
2021-03-11 20:06:04 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
ctx := context.NewContext()
|
2022-04-09 11:52:50 +00:00
|
|
|
err = context.AddResource(ctx, rawResource)
|
2021-03-11 20:06:04 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-02-09 15:15:51 +00:00
|
|
|
mutatedResource, err := ForceMutate(ctx, logr.Discard(), &policy, *resourceUnstructured)
|
2021-03-11 20:06:04 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent())
|
|
|
|
}
|
|
|
|
|
2021-04-28 20:12:44 +00:00
|
|
|
func Test_ForceMutateSubstituteVarsWithPatchesJson6902(t *testing.T) {
|
|
|
|
rawPolicy := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
|
|
|
"name": "insert-container"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "insert-container",
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
|
|
|
"patchesJson6902": "- op: add\n path: \"/spec/template/spec/containers/0/command/0\"\n value: ls"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
rawResource := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
"kind": "Deployment",
|
|
|
|
"metadata": {
|
|
|
|
"name": "myDeploy"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"replica": 2,
|
|
|
|
"template": {
|
|
|
|
"metadata": {
|
|
|
|
"labels": {
|
|
|
|
"old-label": "old-value"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"command": ["ll", "rm"],
|
|
|
|
"image": "nginx",
|
|
|
|
"name": "nginx"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
rawExpected := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "apps/v1",
|
|
|
|
"kind": "Deployment",
|
|
|
|
"metadata": {
|
|
|
|
"name": "myDeploy"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"replica": 2,
|
|
|
|
"template": {
|
|
|
|
"metadata": {
|
|
|
|
"labels": {
|
|
|
|
"old-label": "old-value"
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"command": ["ls", "ll", "rm"],
|
|
|
|
"image": "nginx",
|
|
|
|
"name": "nginx"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
var expectedResource unstructured.Unstructured
|
|
|
|
assert.NilError(t, json.Unmarshal(rawExpected, &expectedResource))
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-01-03 12:02:15 +00:00
|
|
|
resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
|
2021-04-28 20:12:44 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
ctx := context.NewContext()
|
2022-04-09 11:52:50 +00:00
|
|
|
err = context.AddResource(ctx, rawResource)
|
2021-04-28 20:12:44 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-02-09 15:15:51 +00:00
|
|
|
mutatedResource, err := ForceMutate(ctx, logr.Discard(), &policy, *resourceUnstructured)
|
2021-04-28 20:12:44 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
assert.DeepEqual(t, expectedResource.UnstructuredContent(), mutatedResource.UnstructuredContent())
|
|
|
|
}
|
2021-07-23 17:53:37 +00:00
|
|
|
|
|
|
|
func Test_ForceMutateSubstituteVarsWithPatchStrategicMerge(t *testing.T) {
|
|
|
|
rawPolicy := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
|
|
|
"name": "strategic-merge-patch"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "set-image-pull-policy-add-command",
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
|
|
|
"patchStrategicMerge": {
|
|
|
|
"spec": {
|
|
|
|
"volumes": [
|
|
|
|
{
|
|
|
|
"emptyDir": {
|
|
|
|
"medium": "Memory"
|
|
|
|
},
|
|
|
|
"name": "cache-volume"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
rawResource := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "check-root-user"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"volumes": [
|
|
|
|
{
|
|
|
|
"name": "cache-volume",
|
|
|
|
"emptyDir": { }
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"name": "cache-volume2",
|
|
|
|
"emptyDir": {
|
|
|
|
"medium": "Memory"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
|
|
|
|
expectedRawResource := []byte(`
|
|
|
|
{"apiVersion":"v1","kind":"Pod","metadata":{"name":"check-root-user"},"spec":{"volumes":[{"emptyDir":{"medium":"Memory"},"name":"cache-volume"},{"emptyDir":{"medium":"Memory"},"name":"cache-volume2"}]}}
|
|
|
|
`)
|
|
|
|
|
|
|
|
var expectedResource interface{}
|
|
|
|
assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource))
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-01-03 12:02:15 +00:00
|
|
|
resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
|
2021-07-23 17:53:37 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
ctx := context.NewContext()
|
2022-04-09 11:52:50 +00:00
|
|
|
err = context.AddResource(ctx, rawResource)
|
2021-07-23 17:53:37 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
2023-02-09 15:15:51 +00:00
|
|
|
mutatedResource, err := ForceMutate(ctx, logr.Discard(), &policy, *resourceUnstructured)
|
2021-07-23 17:53:37 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent())
|
|
|
|
}
|