2074 : Fix Policy cache returns the duplicated policies (#2082)

* Fix Policy cache returns the duplicated policies * Add testcases
2025-03-31 03:45:17 +00:00 · 2021-07-01 00:50:21 +05:30 · 2021-07-01 00:50:21 +05:30 · 07910edd15
commit 07910edd15
parent cd9e596e7e
2 changed files with 200 additions and 1 deletions
--- a/pkg/policycache/cache.go
+++ b/pkg/policycache/cache.go
@ -156,7 +156,7 @@ func (pc *pMap) get(key PolicyType, gvk, namespace string) (names []string) {
 	_, kind := common.GetKindFromGVK(gvk)
 	for _, policyName := range pc.kindDataMap[kind][key] {
 		ns, key, isNamespacedPolicy := policy2.ParseNamespacedPolicy(policyName)
-		if !isNamespacedPolicy {
+		if !isNamespacedPolicy && namespace == "" {
 			names = append(names, key)
 		} else {
 			if ns == namespace {
--- a/pkg/policycache/cache_test.go
+++ b/pkg/policycache/cache_test.go
@ -467,6 +467,144 @@ func newUserTestPolicy(t *testing.T) *kyverno.ClusterPolicy {
 	return convertPolicyToClusterPolicy(policy)
 }

+func newgenratePolicy(t *testing.T) *kyverno.ClusterPolicy {
+	rawPolicy := []byte(`{
+		"metadata": {
+		   "name": "add-networkpolicy",
+		   "annotations": {
+			  "policies.kyverno.io/title": "Add Network Policy",
+			  "policies.kyverno.io/category": "Multi-Tenancy",
+			  "policies.kyverno.io/subject": "NetworkPolicy"
+		   }
+		},
+		"spec": {
+		   "validationFailureAction": "audit",
+		   "rules": [
+			  {
+				 "name": "default-deny",
+				 "match": {
+					"resources": {
+					   "kinds": [
+						  "Namespace"
+					   ]
+					}
+				 },
+				 "generate": {
+					"kind": "NetworkPolicy",
+					"name": "default-deny",
+					"namespace": "{{request.object.metadata.name}}",
+					"synchronize": true,
+					"data": {
+					   "spec": {
+						  "podSelector": {},
+						  "policyTypes": [
+							 "Ingress",
+							 "Egress"
+						  ]
+					   }
+					}
+				 }
+			  }
+		   ]
+		}
+	 }`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	return policy
+}
+func newMutatePolicy(t *testing.T) *kyverno.ClusterPolicy {
+	rawPolicy := []byte(`{
+		"metadata": {
+		  "name": "logger-sidecar"
+		},
+		"spec": {
+		  "background": false,
+		  "rules": [
+			{
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"StatefulSet"
+				  ]
+				}
+			  },
+			  "mutate": {
+				"patchesJson6902": "- op: add\n  path: /spec/template/spec/containers/-1\n  value: {\"name\": \"logger\", \"image\": \"nginx\"}\n- op: add\n  path: /spec/template/spec/volumes/-1\n  value: {\"name\": \"logs\",\"emptyDir\": {\"medium\": \"Memory\"}}\n- op: add\n  path: /spec/template/spec/containers/0/volumeMounts/-1\n  value: {\"mountPath\": \"/opt/app/logs\",\"name\": \"logs\"}"
+			  },
+			  "name": "logger-sidecar",
+			  "preconditions": [
+				{
+				  "key": "{{ request.object.spec.template.metadata.annotations.\"logger.k8s/inject\"}}",
+				  "operator": "Equals",
+				  "value": "true"
+				},
+				{
+				  "key": "logger",
+				  "operator": "NotIn",
+				  "value": "{{ request.object.spec.template.spec.containers[].name }}"
+				}
+			  ]
+			}
+		  ],
+		  "validationFailureAction": "audit"
+		}
+	  }`)
+
+	var policy *kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	return policy
+}
+func newNsMutatePolicy(t *testing.T) *kyverno.ClusterPolicy {
+	rawPolicy := []byte(`{
+		"metadata": {
+		  "name": "logger-sidecar",
+		  "namespace": "logger"
+		},
+		"spec": {
+		  "background": false,
+		  "rules": [
+			{
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"StatefulSet"
+				  ]
+				}
+			  },
+			  "mutate": {
+				"patchesJson6902": "- op: add\n  path: /spec/template/spec/containers/-1\n  value: {\"name\": \"logger\", \"image\": \"nginx\"}\n- op: add\n  path: /spec/template/spec/volumes/-1\n  value: {\"name\": \"logs\",\"emptyDir\": {\"medium\": \"Memory\"}}\n- op: add\n  path: /spec/template/spec/containers/0/volumeMounts/-1\n  value: {\"mountPath\": \"/opt/app/logs\",\"name\": \"logs\"}"
+			  },
+			  "name": "logger-sidecar",
+			  "preconditions": [
+				{
+				  "key": "{{ request.object.spec.template.metadata.annotations.\"logger.k8s/inject\"}}",
+				  "operator": "Equals",
+				  "value": "true"
+				},
+				{
+				  "key": "logger",
+				  "operator": "NotIn",
+				  "value": "{{ request.object.spec.template.spec.containers[].name }}"
+				}
+			  ]
+			}
+		  ],
+		  "validationFailureAction": "audit"
+		}
+	  }`)
+
+	var policy *kyverno.Policy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	return convertPolicyToClusterPolicy(policy)
+}
+
 func Test_Ns_All(t *testing.T) {
 	pCache := newPolicyCache(log.Log, dummyLister{}, dummyNsLister{})
 	policy := newNsPolicy(t)
@ -635,3 +773,64 @@ func Test_Ns_Add_Remove_User(t *testing.T) {
 		t.Errorf("expected 0 validate enforce policy, found %v", len(deletedValidateEnforce))
 	}
 }
+
+func Test_Mutate_Policy(t *testing.T) {
+	pCache := newPolicyCache(log.Log, dummyLister{}, dummyNsLister{})
+	policy := newMutatePolicy(t)
+	//add
+	pCache.Add(policy)
+	pCache.Add(policy)
+	pCache.Add(policy)
+	for _, rule := range policy.Spec.Rules {
+		for _, kind := range rule.MatchResources.Kinds {
+
+			// get
+			mutate := pCache.get(Mutate, kind, "")
+			if len(mutate) != 1 {
+				t.Errorf("expected 1 mutate policy, found %v", len(mutate))
+			}
+		}
+	}
+}
+
+func Test_Generate_Policy(t *testing.T) {
+	pCache := newPolicyCache(log.Log, dummyLister{}, dummyNsLister{})
+	policy := newgenratePolicy(t)
+	//add
+	pCache.Add(policy)
+	for _, rule := range policy.Spec.Rules {
+		for _, kind := range rule.MatchResources.Kinds {
+
+			// get
+			generate := pCache.get(Generate, kind, "")
+			if len(generate) != 1 {
+				t.Errorf("expected 1 generate policy, found %v", len(generate))
+			}
+		}
+	}
+}
+
+func Test_NsMutate_Policy(t *testing.T) {
+	pCache := newPolicyCache(log.Log, dummyLister{}, dummyNsLister{})
+	policy := newMutatePolicy(t)
+	nspolicy := newNsMutatePolicy(t)
+	//add
+	pCache.Add(policy)
+	pCache.Add(nspolicy)
+	pCache.Add(policy)
+	pCache.Add(nspolicy)
+
+	nspace := policy.GetNamespace()
+	// get
+	mutate := pCache.get(Mutate, "StatefulSet", "")
+	if len(mutate) != 1 {
+		t.Errorf("expected 1 mutate policy, found %v", len(mutate))
+	}
+
+	// get
+	nsMutate := pCache.get(Mutate, "StatefulSet", nspace)
+	if len(nsMutate) != 1 {
+		t.Errorf("expected 1 namespace mutate policy, found %v", len(nsMutate))
+	}
+
+}