From 08a3087100b6f9b175afaa68d946bbda46f14825 Mon Sep 17 00:00:00 2001 From: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Date: Wed, 27 Oct 2021 05:59:42 +0530 Subject: [PATCH] New operators (#2543) * added anyin operator Signed-off-by: anushkamittal20 * allin, anynotin, allnotin added Signed-off-by: anushkamittal20 * added operator handler info Signed-off-by: anushkamittal20 * fixes typos and variable names Signed-off-by: anushkamittal20 * reusing code from in.go in new operators Signed-off-by: anushkamittal20 * Added more test cases for new operators Signed-off-by: anushkamittal20 * updated openapiv3schema Signed-off-by: anushkamittal20 * matching logic Signed-off-by: anushkamittal20 * added deprecated tag for In and NotIn Signed-off-by: anushkamittal20 --- api/swaggerDoc.go | 12 +- charts/kyverno/templates/crds.yaml | 16 +- .../crds/kyverno.io_clusterpolicies.yaml | 42 +- definitions/crds/kyverno.io_policies.yaml | 42 +- .../wgpolicyk8s.io_clusterpolicyreports.yaml | 8 +- .../crds/wgpolicyk8s.io_policyreports.yaml | 8 +- definitions/install.yaml | 28 +- definitions/install_debug.yaml | 28 +- definitions/release/install.yaml | 128 ++--- pkg/api/kyverno/v1/policy_types.go | 12 +- pkg/engine/variables/evaluate_test.go | 438 ++++++++++++++++++ pkg/engine/variables/operator/allin.go | 155 +++++++ pkg/engine/variables/operator/allnotin.go | 79 ++++ pkg/engine/variables/operator/anyin.go | 154 ++++++ pkg/engine/variables/operator/anynotin.go | 79 ++++ pkg/engine/variables/operator/in.go | 1 + pkg/engine/variables/operator/notin.go | 1 + pkg/engine/variables/operator/operator.go | 14 + pkg/kyverno/crds/policy_crd.go | 16 +- 19 files changed, 1129 insertions(+), 132 deletions(-) create mode 100644 pkg/engine/variables/operator/allin.go create mode 100644 pkg/engine/variables/operator/allnotin.go create mode 100644 pkg/engine/variables/operator/anyin.go create mode 100644 pkg/engine/variables/operator/anynotin.go diff --git a/api/swaggerDoc.go b/api/swaggerDoc.go index aa535440eb..c42458d4a2 100644 --- a/api/swaggerDoc.go +++ b/api/swaggerDoc.go @@ -7805,11 +7805,11 @@ const SwaggerDoc = ` "type": "string" }, "operator": { - "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "description": "Represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists, DoesNotExist. Gt, and Lt.", "type": "string" }, "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "description": "An array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", "items": { "type": "string" }, @@ -9871,7 +9871,7 @@ const SwaggerDoc = ` "description": "A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.", "properties": { "operator": { - "description": "Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.", + "description": "Represents a scope's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists, DoesNotExist.", "type": "string" }, "scopeName": { @@ -9879,7 +9879,7 @@ const SwaggerDoc = ` "type": "string" }, "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "An array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "type": "string" }, @@ -18882,11 +18882,11 @@ const SwaggerDoc = ` "x-kubernetes-patch-strategy": "merge" }, "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "description": "operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist.", "type": "string" }, "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "values is an array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "type": "string" }, diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml index 733ed83e0f..93bb84dc83 100644 --- a/charts/kyverno/templates/crds.yaml +++ b/charts/kyverno/templates/crds.yaml @@ -1396,7 +1396,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -1505,7 +1505,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -1617,7 +1617,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -1744,7 +1744,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -3864,7 +3864,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -3973,7 +3973,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -4085,7 +4085,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. @@ -4212,7 +4212,7 @@ spec: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. diff --git a/definitions/crds/kyverno.io_clusterpolicies.yaml b/definitions/crds/kyverno.io_clusterpolicies.yaml index 882684a20e..537633dfec 100644 --- a/definitions/crds/kyverno.io_clusterpolicies.yaml +++ b/definitions/crds/kyverno.io_clusterpolicies.yaml @@ -1530,12 +1530,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1571,12 +1576,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1778,12 +1788,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1819,12 +1834,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1908,12 +1928,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, - NotEquals, In and NotIn. + NotEquals, In, AnyIn, AllIn and NotIn, + AnyNotIn, AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1950,12 +1975,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, - NotEquals, In and NotIn. + NotEquals, In, AnyIn, AllIn and NotIn, + AnyNotIn, AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals diff --git a/definitions/crds/kyverno.io_policies.yaml b/definitions/crds/kyverno.io_policies.yaml index 0357829f9a..6eeb028ae3 100644 --- a/definitions/crds/kyverno.io_policies.yaml +++ b/definitions/crds/kyverno.io_policies.yaml @@ -1531,12 +1531,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1572,12 +1577,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1779,12 +1789,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1820,12 +1835,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, NotEquals, - In and NotIn. + In, AnyIn, AllIn and NotIn, AnyNotIn, + AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1909,12 +1929,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, - NotEquals, In and NotIn. + NotEquals, In, AnyIn, AllIn and NotIn, + AnyNotIn, AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals @@ -1951,12 +1976,17 @@ spec: operator: description: Operator is the operation to perform. Valid operators are Equals, - NotEquals, In and NotIn. + NotEquals, In, AnyIn, AllIn and NotIn, + AnyNotIn, AllNotIn. enum: - Equals - NotEquals - In + - AnyIn + - AllIn - NotIn + - AnyNotIn + - AllNotIn - GreaterThanOrEquals - GreaterThan - LessThanOrEquals diff --git a/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml index d9c5044f1f..dec82ee716 100644 --- a/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/definitions/crds/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -106,7 +106,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -277,7 +277,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -418,7 +418,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -614,7 +614,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator diff --git a/definitions/crds/wgpolicyk8s.io_policyreports.yaml b/definitions/crds/wgpolicyk8s.io_policyreports.yaml index 47adb1e2f0..79b55ca8f4 100644 --- a/definitions/crds/wgpolicyk8s.io_policyreports.yaml +++ b/definitions/crds/wgpolicyk8s.io_policyreports.yaml @@ -105,7 +105,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -276,7 +276,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -416,7 +416,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -612,7 +612,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator diff --git a/definitions/install.yaml b/definitions/install.yaml index 7089e109ee..f5a61ffd03 100644 --- a/definitions/install.yaml +++ b/definitions/install.yaml @@ -2175,8 +2175,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -2346,7 +2346,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -2487,8 +2488,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -2683,7 +2684,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -5785,8 +5787,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -5956,7 +5958,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -6096,8 +6099,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -6292,7 +6295,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator diff --git a/definitions/install_debug.yaml b/definitions/install_debug.yaml index c7b0b7df2c..378f22c720 100755 --- a/definitions/install_debug.yaml +++ b/definitions/install_debug.yaml @@ -2155,8 +2155,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -2326,7 +2326,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -2467,8 +2468,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -2663,7 +2664,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -5737,8 +5739,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -5908,7 +5910,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -6048,8 +6051,8 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + to a set of values. Valid operators are In, AnyIn, AllIn, + NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the @@ -6244,7 +6247,8 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, + AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator diff --git a/definitions/release/install.yaml b/definitions/release/install.yaml index 7089e109ee..ec1b7aded4 100755 --- a/definitions/release/install.yaml +++ b/definitions/release/install.yaml @@ -225,12 +225,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -290,12 +290,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -440,12 +440,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -505,12 +505,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -645,11 +645,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist.. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -704,11 +704,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -900,12 +900,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -965,12 +965,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -1115,12 +1115,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -1180,12 +1180,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -1321,11 +1321,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -1380,11 +1380,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -2175,7 +2175,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -2346,7 +2346,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -2487,7 +2487,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -2683,7 +2683,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -2856,7 +2856,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -3027,7 +3027,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -3168,7 +3168,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -3364,7 +3364,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -3835,12 +3835,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -3900,12 +3900,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4050,12 +4050,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4115,12 +4115,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4255,11 +4255,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -4314,11 +4314,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -4510,12 +4510,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4575,12 +4575,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4725,12 +4725,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4790,12 +4790,12 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid - operators are In, NotIn, Exists and + operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This @@ -4931,11 +4931,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -4990,11 +4990,11 @@ spec: operator: description: operator represents a key's relationship to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string - values. If the operator is In or NotIn, + values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is @@ -5785,7 +5785,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -5956,7 +5956,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -6096,7 +6096,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -6292,7 +6292,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -6465,7 +6465,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -6636,7 +6636,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator @@ -6777,7 +6777,7 @@ spec: type: string operator: description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists + to a set of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: @@ -6973,7 +6973,7 @@ spec: type: string operator: description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + of values. Valid operators are In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn Exists and DoesNotExist. type: string values: description: values is an array of string values. If the operator diff --git a/pkg/api/kyverno/v1/policy_types.go b/pkg/api/kyverno/v1/policy_types.go index 26e8044168..86a22683db 100755 --- a/pkg/api/kyverno/v1/policy_types.go +++ b/pkg/api/kyverno/v1/policy_types.go @@ -207,7 +207,7 @@ type Condition struct { Key apiextensions.JSON `json:"key,omitempty" yaml:"key,omitempty"` // Operator is the operation to perform. Valid operators - // are Equals, NotEquals, In and NotIn. + // are Equals, NotEquals, In, AnyIn, AllIn and NotIn, AnyNotIn, AllNotIn. Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"` // Value is the conditional value, or set of values. The values can be fixed set @@ -218,7 +218,7 @@ type Condition struct { } // ConditionOperator is the operation performed on condition key and value. -// +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan +// +kubebuilder:validation:Enum=Equals;NotEquals;In;AnyIn;AllIn;NotIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan type ConditionOperator string const ( @@ -234,8 +234,16 @@ const ( NotEquals ConditionOperator = "NotEquals" // In evaluates if the key is contained in the set of values. In ConditionOperator = "In" + // AnyIn evaluates if any of the keys are contained in the set of values. + AnyIn ConditionOperator = "AnyIn" + // AllIn evaluates if all the keys are contained in the set of values. + AllIn ConditionOperator = "AllIn" // NotIn evaluates if the key is not contained in the set of values. NotIn ConditionOperator = "NotIn" + // AnyNotIn evaluates if any of the keys are not contained in the set of values. + AnyNotIn ConditionOperator = "AnyNotIn" + // AllNotIn evaluates if all the keys are not contained in the set of values. + AllNotIn ConditionOperator = "AllNotIn" // GreaterThanOrEquals evaluates if the key (numeric) is greater than or equal to the value (numeric). GreaterThanOrEquals ConditionOperator = "GreaterThanOrEquals" // GreaterThan evaluates if the key (numeric) is greater than the value (numeric). diff --git a/pkg/engine/variables/evaluate_test.go b/pkg/engine/variables/evaluate_test.go index b0491e425d..4549bd3e95 100644 --- a/pkg/engine/variables/evaluate_test.go +++ b/pkg/engine/variables/evaluate_test.go @@ -1810,6 +1810,250 @@ func Test_Eval_In_String_Set_Fail(t *testing.T) { } } +func Test_Eval_AnyIn_String_Set_Pass1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AnyIn_String_Set_Pass2(t *testing.T) { + ctx := context.NewContext() + key := [3]string{"1.1.1.1", "5.5.5.5", "2.2.2.2"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [2]string{"2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AnyIn_String_Set_Pass3(t *testing.T) { + ctx := context.NewContext() + key := [1]string{"1.1.1.1"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AnyIn_String_Set_Fail1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"5.5.5.5", "4.4.4.4"} + keyInterface := make([]interface{}, len(key), len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_AnyIn_String_Set_Fail2(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"5.5.5.5"} + keyInterface := make([]interface{}, len(key), len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} +func Test_Eval_AllIn_String_Set_Pass1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "3.3.3.3"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AllIn_String_Set_Pass2(t *testing.T) { + ctx := context.NewContext() + key := [1]string{"1.1.1.1"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AllIn_String_Set_Fail1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"5.5.5.5", "4.4.4.4"} + keyInterface := make([]interface{}, len(key), len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_AllIn_String_Set_Fail2(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} +func Test_Eval_AllIn_String_Set_Fail3(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "4.4.4.4"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} + // test passes if ONE of the values in "key" is NOT in "value" ("key" is not a subset of "value") func Test_Eval_NotIn_String_Set_Pass(t *testing.T) { ctx := context.NewContext() @@ -1859,3 +2103,197 @@ func Test_Eval_NotIn_String_Set_Fail(t *testing.T) { t.Error("expected to fail") } } + +func Test_Eval_AnyNotIn_String_Set_Pass1(t *testing.T) { + ctx := context.NewContext() + key := [3]string{"1.1.1.1", "4.4.4.4", "5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyNotIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AnyNotIn_String_Set_Pass2(t *testing.T) { + ctx := context.NewContext() + key := [1]string{"4.4.4.4"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyNotIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AnyNotIn_String_Set_Pass3(t *testing.T) { + ctx := context.NewContext() + key := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [1]string{"1.1.1.1"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyNotIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +// test passes if ALL of the values in "key" are in "value" ("key" is a subset of "value") +func Test_Eval_AnyNotIn_String_Set_Fail1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "2.2.2.2"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AnyNotIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_AllNotIn_String_Set_Pass1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"4.4.4.4", "5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllNotIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +func Test_Eval_AllNotIn_String_Set_Pass2(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"4.4.4.4", "5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [1]string{"1.1.1.1"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllNotIn, + Value: valueInterface, + } + + if !Evaluate(log.Log, ctx, condition) { + t.Error("expected to pass") + } +} + +// test passes if ALL of the values in "key" are in "value" ("key" is a subset of "value") +func Test_Eval_AllNotIn_String_Set_Fail1(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "2.2.2.2"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllNotIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} + +func Test_Eval_AllNotIn_String_Set_Fail2(t *testing.T) { + ctx := context.NewContext() + key := [2]string{"1.1.1.1", "5.5.5.5"} + keyInterface := make([]interface{}, len(key)) + for i := range key { + keyInterface[i] = key[i] + } + value := [3]string{"1.1.1.1", "2.2.2.2", "3.3.3.3"} + valueInterface := make([]interface{}, len(value)) + for i := range value { + valueInterface[i] = value[i] + } + + condition := kyverno.Condition{ + Key: keyInterface, + Operator: kyverno.AllNotIn, + Value: valueInterface, + } + + if Evaluate(log.Log, ctx, condition) { + t.Error("expected to fail") + } +} diff --git a/pkg/engine/variables/operator/allin.go b/pkg/engine/variables/operator/allin.go new file mode 100644 index 0000000000..4101ababba --- /dev/null +++ b/pkg/engine/variables/operator/allin.go @@ -0,0 +1,155 @@ +package operator + +import ( + "encoding/json" + "fmt" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/minio/pkg/wildcard" +) + +//NewAllInHandler returns handler to manage AllIn operations +func NewAllInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { + return AllInHandler{ + ctx: ctx, + log: log, + } +} + +//AllInHandler provides implementation to handle AllIn Operator +type AllInHandler struct { + ctx context.EvalInterface + log logr.Logger +} + +//Evaluate evaluates expression with AllIn Operator +func (allin AllInHandler) Evaluate(key, value interface{}) bool { + switch typedKey := key.(type) { + case string: + return allin.validateValueWithStringPattern(typedKey, value) + case []interface{}: + var stringSlice []string + for _, v := range typedKey { + stringSlice = append(stringSlice, v.(string)) + } + return allin.validateValueWithStringSetPattern(stringSlice, value) + default: + allin.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) + return false + } +} + +func (allin AllInHandler) validateValueWithStringPattern(key string, value interface{}) (keyExists bool) { + invalidType, keyExists := keyExistsInArray(key, value, allin.log) + if invalidType { + allin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return keyExists +} + +func (allin AllInHandler) validateValueWithStringSetPattern(key []string, value interface{}) (keyExists bool) { + invalidType, isAllIn := allSetExistsInArray(key, value, allin.log, false) + if invalidType { + allin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return isAllIn +} + +// allsetExistsInArray checks if all key is a subset of value +// The value can be a string, an array of strings, or a JSON format +// array of strings (e.g. ["val1", "val2", "val3"]. +// allnotIn argument if set to true will check for allNotIn +func allSetExistsInArray(key []string, value interface{}, log logr.Logger, allNotIn bool) (invalidType bool, keyExists bool) { + switch valuesAvailable := value.(type) { + + case []interface{}: + var valueSlice []string + for _, val := range valuesAvailable { + v, ok := val.(string) + if !ok { + return true, false + } + valueSlice = append(valueSlice, v) + } + if allNotIn { + return false, isAllNotIn(key, valueSlice) + } + return false, isAllIn(key, valueSlice) + + case string: + + if len(key) == 1 && key[0] == valuesAvailable { + return false, true + } + + var arr []string + if err := json.Unmarshal([]byte(valuesAvailable), &arr); err != nil { + log.Error(err, "failed to unmarshal value to JSON string array", "key", key, "value", value) + return true, false + } + if allNotIn { + return false, isAllNotIn(key, arr) + } + + return false, isAllIn(key, arr) + + default: + return true, false + } +} + +// isAllIn checks if all values in S1 are in S2 +func isAllIn(key []string, value []string) bool { + found := 0 + for _, valKey := range key { + for _, valValue := range value { + if wildcard.Match(valKey, valValue) { + found++ + break + } + } + } + if found == len(key) { + return true + } else { + return false + } + +} + +// isAllNotIn checks if all the values in S1 are not in S2 +func isAllNotIn(key []string, value []string) bool { + for _, valKey := range key { + for _, valValue := range value { + if wildcard.Match(valKey, valValue) { + return false + } + } + } + return true +} + +func (allin AllInHandler) validateValueWithBoolPattern(_ bool, _ interface{}) bool { + return false +} + +func (allin AllInHandler) validateValueWithIntPattern(_ int64, _ interface{}) bool { + return false +} + +func (allin AllInHandler) validateValueWithFloatPattern(_ float64, _ interface{}) bool { + return false +} + +func (allin AllInHandler) validateValueWithMapPattern(_ map[string]interface{}, _ interface{}) bool { + return false +} + +func (allin AllInHandler) validateValueWithSlicePattern(_ []interface{}, _ interface{}) bool { + return false +} diff --git a/pkg/engine/variables/operator/allnotin.go b/pkg/engine/variables/operator/allnotin.go new file mode 100644 index 0000000000..f163f371e6 --- /dev/null +++ b/pkg/engine/variables/operator/allnotin.go @@ -0,0 +1,79 @@ +package operator + +import ( + "fmt" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/engine/context" +) + +//NewAllNotInHandler returns handler to manage AllNotIn operations +func NewAllNotInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { + return AllNotInHandler{ + ctx: ctx, + log: log, + } +} + +//AllNotInHandler provides implementation to handle AllNotIn Operator +type AllNotInHandler struct { + ctx context.EvalInterface + log logr.Logger +} + +//Evaluate evaluates expression with AllNotIn Operator +func (allnin AllNotInHandler) Evaluate(key, value interface{}) bool { + switch typedKey := key.(type) { + case string: + return allnin.validateValueWithStringPattern(typedKey, value) + case []interface{}: + var stringSlice []string + for _, v := range typedKey { + stringSlice = append(stringSlice, v.(string)) + } + return allnin.validateValueWithStringSetPattern(stringSlice, value) + default: + allnin.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) + return false + } +} + +func (allnin AllNotInHandler) validateValueWithStringPattern(key string, value interface{}) bool { + invalidType, keyExists := keyExistsInArray(key, value, allnin.log) + if invalidType { + allnin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return !keyExists +} + +func (allnin AllNotInHandler) validateValueWithStringSetPattern(key []string, value interface{}) bool { + invalidType, isNotIn := allSetExistsInArray(key, value, allnin.log, true) + if invalidType { + allnin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return isNotIn +} + +func (allnin AllNotInHandler) validateValueWithBoolPattern(_ bool, _ interface{}) bool { + return false +} + +func (allnin AllNotInHandler) validateValueWithIntPattern(_ int64, _ interface{}) bool { + return false +} + +func (allnin AllNotInHandler) validateValueWithFloatPattern(_ float64, _ interface{}) bool { + return false +} + +func (allnin AllNotInHandler) validateValueWithMapPattern(_ map[string]interface{}, _ interface{}) bool { + return false +} + +func (allnin AllNotInHandler) validateValueWithSlicePattern(_ []interface{}, _ interface{}) bool { + return false +} diff --git a/pkg/engine/variables/operator/anyin.go b/pkg/engine/variables/operator/anyin.go new file mode 100644 index 0000000000..41bbd0108e --- /dev/null +++ b/pkg/engine/variables/operator/anyin.go @@ -0,0 +1,154 @@ +package operator + +import ( + "encoding/json" + "fmt" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/engine/context" + "github.com/minio/pkg/wildcard" +) + +//NewAnyInHandler returns handler to manage AnyIn operations +func NewAnyInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { + return AnyInHandler{ + ctx: ctx, + log: log, + } +} + +//AnyInHandler provides implementation to handle AnyIn Operator +type AnyInHandler struct { + ctx context.EvalInterface + log logr.Logger +} + +//Evaluate evaluates expression with AnyIn Operator +func (anyin AnyInHandler) Evaluate(key, value interface{}) bool { + switch typedKey := key.(type) { + case string: + return anyin.validateValueWithStringPattern(typedKey, value) + case []interface{}: + var stringSlice []string + for _, v := range typedKey { + stringSlice = append(stringSlice, v.(string)) + } + return anyin.validateValueWithStringSetPattern(stringSlice, value) + default: + anyin.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) + return false + } +} + +func (anyin AnyInHandler) validateValueWithStringPattern(key string, value interface{}) (keyExists bool) { + invalidType, keyExists := keyExistsInArray(key, value, anyin.log) + if invalidType { + anyin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return keyExists +} + +func (anyin AnyInHandler) validateValueWithStringSetPattern(key []string, value interface{}) (keyExists bool) { + invalidType, isAnyIn := anySetExistsInArray(key, value, anyin.log, false) + if invalidType { + anyin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return isAnyIn +} + +// anysetExistsInArray checks if any key is a subset of value +// The value can be a string, an array of strings, or a JSON format +// array of strings (e.g. ["val1", "val2", "val3"]. +// notIn argument if set to true will check for NotIn +func anySetExistsInArray(key []string, value interface{}, log logr.Logger, anyNotIn bool) (invalidType bool, keyExists bool) { + switch valuesAvailable := value.(type) { + + case []interface{}: + var valueSlice []string + for _, val := range valuesAvailable { + v, ok := val.(string) + if !ok { + return true, false + } + valueSlice = append(valueSlice, v) + } + if anyNotIn { + return false, isAnyNotIn(key, valueSlice) + } + return false, isAnyIn(key, valueSlice) + + case string: + + if len(key) == 1 && key[0] == valuesAvailable { + return false, true + } + + var arr []string + if err := json.Unmarshal([]byte(valuesAvailable), &arr); err != nil { + log.Error(err, "failed to unmarshal value to JSON string array", "key", key, "value", value) + return true, false + } + if anyNotIn { + return false, isAnyNotIn(key, arr) + } + + return false, isAnyIn(key, arr) + + default: + return true, false + } +} + +// isAnyIn checks if any values in S1 are in S2 +func isAnyIn(key []string, value []string) bool { + for _, valKey := range key { + for _, valValue := range value { + if wildcard.Match(valKey, valValue) { + return true + } + } + } + return false +} + +// isAllNotIn checks if all the values in S1 are not in S2 +func isAnyNotIn(key []string, value []string) bool { + found := 0 + for _, valKey := range key { + for _, valValue := range value { + if wildcard.Match(valKey, valValue) { + found++ + break + } + } + } + if found < len(key) { + return true + } else { + return false + } +} + +func (anyin AnyInHandler) validateValueWithBoolPattern(_ bool, _ interface{}) bool { + return false +} + +func (anyin AnyInHandler) validateValueWithIntPattern(_ int64, _ interface{}) bool { + return false +} + +func (anyin AnyInHandler) validateValueWithFloatPattern(_ float64, _ interface{}) bool { + return false +} + +func (anyin AnyInHandler) validateValueWithMapPattern(_ map[string]interface{}, _ interface{}) bool { + return false +} + +func (anyin AnyInHandler) validateValueWithSlicePattern(_ []interface{}, _ interface{}) bool { + return false +} diff --git a/pkg/engine/variables/operator/anynotin.go b/pkg/engine/variables/operator/anynotin.go new file mode 100644 index 0000000000..fba7ce1bc2 --- /dev/null +++ b/pkg/engine/variables/operator/anynotin.go @@ -0,0 +1,79 @@ +package operator + +import ( + "fmt" + + "github.com/go-logr/logr" + "github.com/kyverno/kyverno/pkg/engine/context" +) + +//NewAnyNotInHandler returns handler to manage AnyNotIn operations +func NewAnyNotInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { + return NotInHandler{ + ctx: ctx, + log: log, + } +} + +//AnyNotInHandler provides implementation to handle AnyNotIn Operator +type AnyNotInHandler struct { + ctx context.EvalInterface + log logr.Logger +} + +//Evaluate evaluates expression with AnyNotIn Operator +func (anynin AnyNotInHandler) Evaluate(key, value interface{}) bool { + switch typedKey := key.(type) { + case string: + return anynin.validateValueWithStringPattern(typedKey, value) + case []interface{}: + var stringSlice []string + for _, v := range typedKey { + stringSlice = append(stringSlice, v.(string)) + } + return anynin.validateValueWithStringSetPattern(stringSlice, value) + default: + anynin.log.Info("Unsupported type", "value", typedKey, "type", fmt.Sprintf("%T", typedKey)) + return false + } +} + +func (anynin AnyNotInHandler) validateValueWithStringPattern(key string, value interface{}) bool { + invalidType, keyExists := keyExistsInArray(key, value, anynin.log) + if invalidType { + anynin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return !keyExists +} + +func (anynin AnyNotInHandler) validateValueWithStringSetPattern(key []string, value interface{}) bool { + invalidType, isAnyNotIn := anySetExistsInArray(key, value, anynin.log, true) + if invalidType { + anynin.log.Info("expected type []string", "value", value, "type", fmt.Sprintf("%T", value)) + return false + } + + return isAnyNotIn +} + +func (anynin AnyNotInHandler) validateValueWithBoolPattern(_ bool, _ interface{}) bool { + return false +} + +func (anynin AnyNotInHandler) validateValueWithIntPattern(_ int64, _ interface{}) bool { + return false +} + +func (anynin AnyNotInHandler) validateValueWithFloatPattern(_ float64, _ interface{}) bool { + return false +} + +func (anynin AnyNotInHandler) validateValueWithMapPattern(_ map[string]interface{}, _ interface{}) bool { + return false +} + +func (anynin AnyNotInHandler) validateValueWithSlicePattern(_ []interface{}, _ interface{}) bool { + return false +} diff --git a/pkg/engine/variables/operator/in.go b/pkg/engine/variables/operator/in.go index f7642204b6..e55807f66a 100644 --- a/pkg/engine/variables/operator/in.go +++ b/pkg/engine/variables/operator/in.go @@ -10,6 +10,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/context" ) +// deprecated //NewInHandler returns handler to manage In operations func NewInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { return InHandler{ diff --git a/pkg/engine/variables/operator/notin.go b/pkg/engine/variables/operator/notin.go index 2a066eb5ff..7ce0a44ee6 100644 --- a/pkg/engine/variables/operator/notin.go +++ b/pkg/engine/variables/operator/notin.go @@ -7,6 +7,7 @@ import ( "github.com/kyverno/kyverno/pkg/engine/context" ) +// deprecated //NewNotInHandler returns handler to manage NotIn operations func NewNotInHandler(log logr.Logger, ctx context.EvalInterface) OperatorHandler { return NotInHandler{ diff --git a/pkg/engine/variables/operator/operator.go b/pkg/engine/variables/operator/operator.go index e050b45c07..5da56999d1 100644 --- a/pkg/engine/variables/operator/operator.go +++ b/pkg/engine/variables/operator/operator.go @@ -35,12 +35,26 @@ func CreateOperatorHandler(log logr.Logger, ctx context.EvalInterface, op kyvern strings.ToLower(string(kyverno.NotEquals)): return NewNotEqualHandler(log, ctx) + // deprecated case strings.ToLower(string(kyverno.In)): return NewInHandler(log, ctx) + case strings.ToLower(string(kyverno.AnyIn)): + return NewAnyInHandler(log, ctx) + + case strings.ToLower(string(kyverno.AllIn)): + return NewAllInHandler(log, ctx) + + // deprecated case strings.ToLower(string(kyverno.NotIn)): return NewNotInHandler(log, ctx) + case strings.ToLower(string(kyverno.AnyNotIn)): + return NewAnyNotInHandler(log, ctx) + + case strings.ToLower(string(kyverno.AllNotIn)): + return NewAllNotInHandler(log, ctx) + case strings.ToLower(string(kyverno.GreaterThanOrEquals)), strings.ToLower(string(kyverno.GreaterThan)), strings.ToLower(string(kyverno.LessThanOrEquals)), diff --git a/pkg/kyverno/crds/policy_crd.go b/pkg/kyverno/crds/policy_crd.go index 2452c1f66a..b610578241 100644 --- a/pkg/kyverno/crds/policy_crd.go +++ b/pkg/kyverno/crds/policy_crd.go @@ -152,11 +152,11 @@ const PolicyCRD = ` "type": "string" }, "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "description": "operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist.", "type": "string" }, "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "values is an array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "schema": { "type": "string" @@ -204,11 +204,11 @@ const PolicyCRD = ` "type": "string" }, "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "description": "operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist.", "type": "string" }, "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "values is an array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "schema": { "type": "string" @@ -370,11 +370,11 @@ const PolicyCRD = ` "type": "string" }, "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "description": "operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist.", "type": "string" }, "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "values is an array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "schema": { "type": "string" @@ -422,11 +422,11 @@ const PolicyCRD = ` "type": "string" }, "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "description": "operator represents a key's relationship to a set of values. Valid operators are In, AnyIn, AllIn, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn AnyNotIn, AllNotIn, Exists and DoesNotExist.", "type": "string" }, "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "description": "values is an array of string values. If the operator is In, AnyIn, AllIn, NotIn, AnyNotIn or AllNotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "schema": { "type": "string"