From 062bd798f04e19f4cb4f9f0522af00d1b75ebb72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?= Date: Mon, 13 Mar 2023 11:24:11 +0100 Subject: [PATCH] test: add kuttl tests for policy kinds validation (#6547) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * test: add kuttl tests for policy kinds validation Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché * fix Signed-off-by: Charles-Edouard Brétéché --------- Signed-off-by: Charles-Edouard Brétéché --- pkg/policy/validate.go | 22 +++++++++++-------- .../unknown-kind/01-unknown-kind.yaml | 5 +++++ .../02-unknown-kind-subresource.yaml | 5 +++++ .../unknown-kind/03-wrong-version.yaml | 5 +++++ .../unknown-kind/04-unknown-subresource.yaml | 5 +++++ .../kuttl/webhooks/unknown-kind/README.md | 4 ++++ .../kuttl/webhooks/unknown-kind/policy-1.yaml | 20 +++++++++++++++++ .../kuttl/webhooks/unknown-kind/policy-2.yaml | 20 +++++++++++++++++ .../kuttl/webhooks/unknown-kind/policy-3.yaml | 20 +++++++++++++++++ .../kuttl/webhooks/unknown-kind/policy-4.yaml | 20 +++++++++++++++++ 10 files changed, 117 insertions(+), 9 deletions(-) create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/01-unknown-kind.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/02-unknown-kind-subresource.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/03-wrong-version.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/04-unknown-subresource.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/README.md create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/policy-1.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/policy-2.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/policy-3.yaml create mode 100644 test/conformance/kuttl/webhooks/unknown-kind/policy-4.yaml diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 95cde07077..5c7e849aae 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1285,16 +1285,22 @@ func validateWildcard(kinds []string, spec *kyvernov1.Spec, rule kyvernov1.Rule) // and found in the cache, returns error if not found. It also returns an error if background scanning // is enabled for a subresource. func validateKinds(kinds []string, mock, backgroundScanningEnabled, isValidationPolicy bool, client dclient.Interface) error { - for _, kind := range kinds { - if !mock && !strings.Contains(kind, "*") { - gv, k := kubeutils.GetKindFromGVK(kind) - _, _, gvr, err := client.Discovery().FindResource(gv, k) + for _, k := range kinds { + if !mock { + group, version, kind, subresource := kubeutils.ParseKindSelector(k) + gvrs, err := client.Discovery().FindResources(group, version, kind, subresource) if err != nil { return fmt.Errorf("unable to convert GVK to GVR for kinds %s, err: %s", k, err) } - _, subresource := kubeutils.SplitSubresource(gvr.Resource) - if subresource != "" && isValidationPolicy && backgroundScanningEnabled { - return fmt.Errorf("background scan enabled with subresource %s", subresource) + if len(gvrs) == 0 { + return fmt.Errorf("unable to convert GVK to GVR for kinds %s", k) + } + if backgroundScanningEnabled { + for _, gvr := range gvrs { + if strings.Contains(gvr.Resource, "/") { + return fmt.Errorf("background scan enabled with subresource %s", subresource) + } + } } } } @@ -1310,7 +1316,6 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string) if notOk { return fmt.Errorf("wildcard pattern '%s' matches with namespace '%s'", pat, ns) } - pat1, pat2, notOk := wildcard.MatchPatterns(auditW, enforceW...) if notOk { return fmt.Errorf("wildcard pattern '%s' conflicts with the pattern '%s'", pat1, pat2) @@ -1319,7 +1324,6 @@ func validateWildcardsWithNamespaces(enforce, audit, enforceW, auditW []string) if notOk { return fmt.Errorf("wildcard pattern '%s' conflicts with the pattern '%s'", pat1, pat2) } - return nil } diff --git a/test/conformance/kuttl/webhooks/unknown-kind/01-unknown-kind.yaml b/test/conformance/kuttl/webhooks/unknown-kind/01-unknown-kind.yaml new file mode 100644 index 0000000000..fc063d7bff --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/01-unknown-kind.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: policy-1.yaml + shouldFail: true diff --git a/test/conformance/kuttl/webhooks/unknown-kind/02-unknown-kind-subresource.yaml b/test/conformance/kuttl/webhooks/unknown-kind/02-unknown-kind-subresource.yaml new file mode 100644 index 0000000000..ba9ecad57a --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/02-unknown-kind-subresource.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: policy-2.yaml + shouldFail: true diff --git a/test/conformance/kuttl/webhooks/unknown-kind/03-wrong-version.yaml b/test/conformance/kuttl/webhooks/unknown-kind/03-wrong-version.yaml new file mode 100644 index 0000000000..fb9eaa285e --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/03-wrong-version.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: policy-3.yaml + shouldFail: true diff --git a/test/conformance/kuttl/webhooks/unknown-kind/04-unknown-subresource.yaml b/test/conformance/kuttl/webhooks/unknown-kind/04-unknown-subresource.yaml new file mode 100644 index 0000000000..6fa9939b03 --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/04-unknown-subresource.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: policy-4.yaml + shouldFail: true diff --git a/test/conformance/kuttl/webhooks/unknown-kind/README.md b/test/conformance/kuttl/webhooks/unknown-kind/README.md new file mode 100644 index 0000000000..6e44bf80c1 --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/README.md @@ -0,0 +1,4 @@ +## Description + +This test tries to create policies with different combinations of unknown kind and/or subresource. +The policies should be rejected. diff --git a/test/conformance/kuttl/webhooks/unknown-kind/policy-1.yaml b/test/conformance/kuttl/webhooks/unknown-kind/policy-1.yaml new file mode 100644 index 0000000000..5a6be03550 --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/policy-1.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Foo + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/kuttl/webhooks/unknown-kind/policy-2.yaml b/test/conformance/kuttl/webhooks/unknown-kind/policy-2.yaml new file mode 100644 index 0000000000..7d0cf31fc5 --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/policy-2.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Foo/* + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/kuttl/webhooks/unknown-kind/policy-3.yaml b/test/conformance/kuttl/webhooks/unknown-kind/policy-3.yaml new file mode 100644 index 0000000000..57d255ae5b --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/policy-3.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - v2/Pod + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*' diff --git a/test/conformance/kuttl/webhooks/unknown-kind/policy-4.yaml b/test/conformance/kuttl/webhooks/unknown-kind/policy-4.yaml new file mode 100644 index 0000000000..f77bc622c6 --- /dev/null +++ b/test/conformance/kuttl/webhooks/unknown-kind/policy-4.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: unknown +spec: + validationFailureAction: Audit + background: false + rules: + - name: unknown + match: + any: + - resources: + kinds: + - Pod/foo + validate: + message: 'The label `team` is required.' + pattern: + metadata: + labels: + team: '?*'