mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: schema validation for mutateExisting type of policy (#6602)
Signed-off-by: HIHIA <283304489@qq.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
7fd79f5513
commit
0849c8f929
5 changed files with 79 additions and 9 deletions
|
@ -123,17 +123,23 @@ func (o *manager) ValidatePolicyMutation(policy kyvernov1.PolicyInterface) error
|
|||
kindToRules := make(map[string][]kyvernov1.Rule)
|
||||
for _, rule := range autogen.ComputeRules(policy) {
|
||||
if rule.HasMutate() {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
kindToRules[kind] = append(kindToRules[kind], rule)
|
||||
}
|
||||
for _, resourceFilter := range rule.MatchResources.Any {
|
||||
for _, kind := range resourceFilter.Kinds {
|
||||
if rule.IsMutateExisting() {
|
||||
for _, target := range rule.Mutation.Targets {
|
||||
kindToRules[target.Kind] = append(kindToRules[target.Kind], rule)
|
||||
}
|
||||
} else {
|
||||
for _, kind := range rule.MatchResources.Kinds {
|
||||
kindToRules[kind] = append(kindToRules[kind], rule)
|
||||
}
|
||||
}
|
||||
for _, resourceFilter := range rule.MatchResources.All {
|
||||
for _, kind := range resourceFilter.Kinds {
|
||||
kindToRules[kind] = append(kindToRules[kind], rule)
|
||||
for _, resourceFilter := range rule.MatchResources.Any {
|
||||
for _, kind := range resourceFilter.Kinds {
|
||||
kindToRules[kind] = append(kindToRules[kind], rule)
|
||||
}
|
||||
}
|
||||
for _, resourceFilter := range rule.MatchResources.All {
|
||||
for _, kind := range resourceFilter.Kinds {
|
||||
kindToRules[kind] = append(kindToRules[kind], rule)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- policy.yaml
|
||||
assert:
|
||||
- policy-assert.yaml
|
|
@ -0,0 +1,11 @@
|
|||
## Description
|
||||
|
||||
This test ensure Schema validation should validate the target resource rather than the trigger for the mutateExisting type of policy.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
ClusterPolicy should be successfully created.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
6594
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: generate-cm-for-kube-state-metrics-crds
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
|
@ -0,0 +1,38 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: generate-cm-for-kube-state-metrics-crds
|
||||
annotations:
|
||||
policies.kyverno.io/description: >-
|
||||
This policy generates and synchronizes a configmap for custom resource kube-state-metrics.
|
||||
spec:
|
||||
generateExisting: true
|
||||
mutateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: restart-kube-state-metrics-on-cm-change
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- "kube-state-metrics-crds"
|
||||
namespaces:
|
||||
- "kube-state-metrics"
|
||||
preconditions:
|
||||
all:
|
||||
- key: "{{ request.object.metadata.labels.\"kubestatemetrics.platform.example\" || '' }}"
|
||||
operator: NotEquals
|
||||
value: source
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
name: kube-state-metrics
|
||||
namespace: kube-state-metrics
|
||||
patchStrategicMerge:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
platform.cloud.allianz/triggerrestart: "{{request.object.metadata.resourceVersion}}"
|
Loading…
Add table
Reference in a new issue