2019-12-31 01:08:50 +00:00
|
|
|
package engine
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2021-03-23 17:34:03 +00:00
|
|
|
"reflect"
|
|
|
|
"testing"
|
2019-12-31 01:08:50 +00:00
|
|
|
|
2020-10-07 18:12:31 +00:00
|
|
|
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/context"
|
|
|
|
"github.com/kyverno/kyverno/pkg/engine/utils"
|
2021-04-29 17:09:44 +00:00
|
|
|
"github.com/kyverno/kyverno/pkg/kyverno/store"
|
2019-12-31 01:08:50 +00:00
|
|
|
"gotest.tools/assert"
|
|
|
|
)
|
|
|
|
|
|
|
|
func Test_VariableSubstitutionOverlay(t *testing.T) {
|
|
|
|
rawPolicy := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
|
|
|
"name": "add-label"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "add-name-label",
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
|
|
|
"overlay": {
|
|
|
|
"metadata": {
|
|
|
|
"labels": {
|
|
|
|
"appname": "{{request.object.metadata.name}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
|
|
|
rawResource := []byte(`
|
|
|
|
{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "check-root-user"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"name": "check-root-user",
|
|
|
|
"image": "nginxinc/nginx-unprivileged",
|
|
|
|
"securityContext": {
|
|
|
|
"runAsNonRoot": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`)
|
2020-09-22 23:19:09 +00:00
|
|
|
expectedPatch := []byte(`{"op":"add","path":"/metadata/labels","value":{"appname":"check-root-user"}}`)
|
2019-12-31 01:08:50 +00:00
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
2020-03-23 19:05:05 +00:00
|
|
|
err := json.Unmarshal(rawPolicy, &policy)
|
|
|
|
if err != nil {
|
|
|
|
t.Error(err)
|
|
|
|
}
|
2020-01-08 01:06:17 +00:00
|
|
|
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource)
|
2019-12-31 01:08:50 +00:00
|
|
|
assert.NilError(t, err)
|
|
|
|
ctx := context.NewContext()
|
2020-03-23 19:05:05 +00:00
|
|
|
err = ctx.AddResource(rawResource)
|
|
|
|
if err != nil {
|
|
|
|
t.Error(err)
|
|
|
|
}
|
2019-12-31 01:08:50 +00:00
|
|
|
value, err := ctx.Query("request.object.metadata.name")
|
2020-08-08 00:09:24 +00:00
|
|
|
|
2019-12-31 01:08:50 +00:00
|
|
|
t.Log(value)
|
|
|
|
if err != nil {
|
|
|
|
t.Error(err)
|
|
|
|
}
|
2020-12-23 23:10:07 +00:00
|
|
|
policyContext := &PolicyContext{
|
2019-12-31 01:08:50 +00:00
|
|
|
Policy: policy,
|
2020-12-23 23:10:07 +00:00
|
|
|
JSONContext: ctx,
|
2019-12-31 01:08:50 +00:00
|
|
|
NewResource: *resourceUnstructured}
|
|
|
|
er := Mutate(policyContext)
|
|
|
|
t.Log(string(expectedPatch))
|
|
|
|
t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))
|
|
|
|
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {
|
|
|
|
t.Error("patches dont match")
|
|
|
|
}
|
|
|
|
}
|
2020-01-09 20:24:37 +00:00
|
|
|
|
|
|
|
func Test_variableSubstitutionPathNotExist(t *testing.T) {
|
|
|
|
resourceRaw := []byte(`{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "check-root-user"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"name": "check-root-user",
|
|
|
|
"image": "nginxinc/nginx-unprivileged",
|
|
|
|
"securityContext": {
|
|
|
|
"runAsNonRoot": true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
policyraw := []byte(`{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
2020-01-24 20:05:53 +00:00
|
|
|
"name": "substitute-variable"
|
2020-01-09 20:24:37 +00:00
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "test-path-not-exist",
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
|
|
|
"overlay": {
|
|
|
|
"spec": {
|
|
|
|
"name": "{{request.object.metadata.name1}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
var policy kyverno.ClusterPolicy
|
2020-03-23 19:05:05 +00:00
|
|
|
err := json.Unmarshal(policyraw, &policy)
|
|
|
|
assert.NilError(t, err)
|
2020-01-09 20:24:37 +00:00
|
|
|
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
ctx := context.NewContext()
|
2020-03-23 19:05:05 +00:00
|
|
|
err = ctx.AddResource(resourceRaw)
|
|
|
|
assert.NilError(t, err)
|
2020-01-09 20:24:37 +00:00
|
|
|
|
2020-12-23 23:10:07 +00:00
|
|
|
policyContext := &PolicyContext{
|
2020-01-09 20:24:37 +00:00
|
|
|
Policy: policy,
|
2020-12-23 23:10:07 +00:00
|
|
|
JSONContext: ctx,
|
2020-01-09 20:24:37 +00:00
|
|
|
NewResource: *resourceUnstructured}
|
|
|
|
er := Mutate(policyContext)
|
2021-07-02 05:56:50 +00:00
|
|
|
expectedErrorStr := "variable substitution failed for rule test-path-not-exist: Unknown key \"name1\" in path"
|
2020-02-14 19:59:28 +00:00
|
|
|
assert.Equal(t, er.PolicyResponse.Rules[0].Message, expectedErrorStr)
|
2020-01-11 01:15:44 +00:00
|
|
|
}
|
2021-04-29 17:09:44 +00:00
|
|
|
|
|
|
|
func Test_variableSubstitutionCLI(t *testing.T) {
|
|
|
|
resourceRaw := []byte(`{
|
|
|
|
"apiVersion": "v1",
|
|
|
|
"kind": "Pod",
|
|
|
|
"metadata": {
|
|
|
|
"name": "nginx-config-test"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"containers": [
|
|
|
|
{
|
|
|
|
"image": "nginx:latest",
|
|
|
|
"name": "test-nginx"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
policyraw := []byte(`{
|
|
|
|
"apiVersion": "kyverno.io/v1",
|
|
|
|
"kind": "ClusterPolicy",
|
|
|
|
"metadata": {
|
|
|
|
"name": "cm-variable-example"
|
|
|
|
},
|
|
|
|
"spec": {
|
|
|
|
"rules": [
|
|
|
|
{
|
|
|
|
"name": "example-configmap-lookup",
|
|
|
|
"context": [
|
|
|
|
{
|
|
|
|
"name": "dictionary",
|
|
|
|
"configMap": {
|
|
|
|
"name": "mycmap",
|
|
|
|
"namespace": "default"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"match": {
|
|
|
|
"resources": {
|
|
|
|
"kinds": [
|
|
|
|
"Pod"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
},
|
|
|
|
"mutate": {
|
|
|
|
"patchStrategicMerge": {
|
|
|
|
"metadata": {
|
|
|
|
"labels": {
|
|
|
|
"my-environment-name": "{{dictionary.data.env}}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}`)
|
|
|
|
|
|
|
|
configMapVariableContext := store.Context{
|
|
|
|
Policies: []store.Policy{
|
|
|
|
{
|
|
|
|
Name: "cm-variable-example",
|
|
|
|
Rules: []store.Rule{
|
|
|
|
{
|
|
|
|
Name: "example-configmap-lookup",
|
|
|
|
Values: map[string]string{
|
|
|
|
"dictionary.data.env": "dev1",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
expectedPatch := []byte(`{"op":"add","path":"/metadata/labels","value":{"my-environment-name":"dev1"}}`)
|
|
|
|
|
|
|
|
store.SetContext(configMapVariableContext)
|
|
|
|
store.SetMock(true)
|
|
|
|
var policy kyverno.ClusterPolicy
|
|
|
|
err := json.Unmarshal(policyraw, &policy)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
ctx := context.NewContext()
|
|
|
|
err = ctx.AddResource(resourceRaw)
|
|
|
|
assert.NilError(t, err)
|
|
|
|
|
|
|
|
policyContext := &PolicyContext{
|
|
|
|
Policy: policy,
|
|
|
|
JSONContext: ctx,
|
|
|
|
NewResource: *resourceUnstructured,
|
|
|
|
}
|
|
|
|
|
|
|
|
er := Mutate(policyContext)
|
|
|
|
t.Log(string(expectedPatch))
|
|
|
|
t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))
|
|
|
|
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {
|
|
|
|
t.Error("patches dont match")
|
|
|
|
}
|
|
|
|
}
|