1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

fix: schema validation for mutateExisting type of policy (#6602)

Signed-off-by: HIHIA <283304489@qq.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
HIHIA 2023-03-17 13:01:02 +08:00 committed by GitHub
parent 7fd79f5513
commit 0849c8f929
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 9 deletions

View file

@ -123,17 +123,23 @@ func (o *manager) ValidatePolicyMutation(policy kyvernov1.PolicyInterface) error
kindToRules := make(map[string][]kyvernov1.Rule)
for _, rule := range autogen.ComputeRules(policy) {
if rule.HasMutate() {
for _, kind := range rule.MatchResources.Kinds {
kindToRules[kind] = append(kindToRules[kind], rule)
}
for _, resourceFilter := range rule.MatchResources.Any {
for _, kind := range resourceFilter.Kinds {
if rule.IsMutateExisting() {
for _, target := range rule.Mutation.Targets {
kindToRules[target.Kind] = append(kindToRules[target.Kind], rule)
}
} else {
for _, kind := range rule.MatchResources.Kinds {
kindToRules[kind] = append(kindToRules[kind], rule)
}
}
for _, resourceFilter := range rule.MatchResources.All {
for _, kind := range resourceFilter.Kinds {
kindToRules[kind] = append(kindToRules[kind], rule)
for _, resourceFilter := range rule.MatchResources.Any {
for _, kind := range resourceFilter.Kinds {
kindToRules[kind] = append(kindToRules[kind], rule)
}
}
for _, resourceFilter := range rule.MatchResources.All {
for _, kind := range resourceFilter.Kinds {
kindToRules[kind] = append(kindToRules[kind], rule)
}
}
}
}

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

View file

@ -0,0 +1,11 @@
## Description
This test ensure Schema validation should validate the target resource rather than the trigger for the mutateExisting type of policy.
## Expected Behavior
ClusterPolicy should be successfully created.
## Reference Issue(s)
6594

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-cm-for-kube-state-metrics-crds
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,38 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-cm-for-kube-state-metrics-crds
annotations:
policies.kyverno.io/description: >-
This policy generates and synchronizes a configmap for custom resource kube-state-metrics.
spec:
generateExisting: true
mutateExistingOnPolicyUpdate: true
rules:
- name: restart-kube-state-metrics-on-cm-change
match:
any:
- resources:
kinds:
- ConfigMap
names:
- "kube-state-metrics-crds"
namespaces:
- "kube-state-metrics"
preconditions:
all:
- key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}"
operator: NotEquals
value: source
mutate:
targets:
- apiVersion: apps/v1
kind: Deployment
name: kube-state-metrics
namespace: kube-state-metrics
patchStrategicMerge:
spec:
template:
metadata:
annotations:
platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}"