kyverno/pkg/policy/on_update_policy_test.go

package policy

import (
	"encoding/json"
	"testing"

	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
	"gotest.tools/assert"
)

func Test_valid_onUpdatePolicyPolicy(t *testing.T) {
	rawPolicy := []byte(`{
		"apiVersion": "kyverno.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "test-gen",
		  "annotations": {
			"policies.kyverno.io/category": "Best Practices"
		  }
		},
		"spec": {
		  "rules": [
			{
			  "match": {
				"resources": {
				  "kinds": [
					"Namespace"
				  ]
				}
			  },
			  "name": "test-gen",
			  "preconditions": {
				"all": [
				  {
					"key": "{{request.object.metadata.name}}",
					"operator": "NotEquals",
					"value": ""
				  }
				]
			  },
			  "validate": {
				"message": "The only label that may be removed or changed is breakglass.",
				"deny": {
				  "conditions": {
					"any": [
					  {
						"key": "{{ request.object.metadata.labels  |  merge(@, {breakglass:null}) }}",
						"operator": "NotEquals",
						"value": "{{ request.oldObject.metadata.labels  |  merge(@, {breakglass:null}) }}"
					  }
					]
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	var policy kyverno.ClusterPolicy
	err := json.Unmarshal(rawPolicy, &policy)
	assert.NilError(t, err)

	err = ValidateOnPolicyUpdate(&policy, true)
	assert.NilError(t, err)
}

func Test_invalid_onUpdatePolicyPolicy(t *testing.T) {
	rawPolicy := []byte(`{
		"apiVersion": "kyverno.io/v1",
		"kind": "ClusterPolicy",
		"metadata": {
		  "name": "who-created-this"
		},
		"spec": {
		  "rules": [
			{
			  "name": "who-created-this",
			  "match": {
				"any": [
				  {
					"resources": {
					  "kinds": [
						"Pod"
					  ]
					}
				  }
				]
			  },
			  "mutate": {
				"patchStrategicMerge": {
				  "metadata": {
					"labels": {
					  "created-by": "{{request.userInfo.username}}"
					}
				  }
				}
			  }
			}
		  ]
		}
	  }`)

	var policy kyverno.ClusterPolicy
	err := json.Unmarshal(rawPolicy, &policy)
	assert.NilError(t, err)
	err = ValidateOnPolicyUpdate(&policy, true)
	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable {{request.userInfo.username}} is not allowed ")
}