Fix foreach validations precondition issue (#3228)

* fix foreach validations precondition issue * added test-cases
2024-12-14 11:57:48 +00:00 · 2022-02-18 14:41:41 +05:30 · 2022-02-18 14:41:41 +05:30 · 0a5aad39cf
commit 0a5aad39cf
parent a30493e550
4 changed files with 81 additions and 0 deletions
--- a/pkg/engine/variables/operator/notequal.go
+++ b/pkg/engine/variables/operator/notequal.go
@ -79,6 +79,11 @@ func (neh NotEqualHandler) validateValueWithStringPattern(key string, value inte
 	if err == nil {
 		switch typedValue := value.(type) {
 		case string:
+			if typedValue == "" {
+				if val, ok := value.(string); ok {
+					return !wildcard.Match(val, key)
+				}
+			}
 			resourceValue, err := resource.ParseQuantity(typedValue)
 			if err != nil {
 				neh.log.Error(fmt.Errorf("parse error: "), "Failed to parse value type doesn't match key type")
--- a/test/cli/test/foreach-preconditions/kyverno-test.yaml
+++ b/test/cli/test/foreach-preconditions/kyverno-test.yaml
@ -0,0 +1,16 @@
+name: test-foreach-precondition
+policies:
+  - policies.yaml
+resources:
+  - resources.yaml
+results:
+  - policy: enforce-limits-fraction
+    rule: check-memory-requests-limits
+    resource: frontend1
+    kind: Pod
+    status: fail
+  - policy: enforce-limits-fraction
+    rule: check-memory-requests-limits
+    resource: frontend2
+    kind: Pod
+    status: pass
--- a/test/cli/test/foreach-preconditions/policies.yaml
+++ b/test/cli/test/foreach-preconditions/policies.yaml
@ -0,0 +1,31 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: enforce-limits-fraction
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: check-memory-requests-limits
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: Limits may not exceed 2.5x the requests.
+      foreach:
+      - list: "request.object.spec.containers"
+        preconditions:
+          all:
+          - key: "{{ element.resources.limits.memory || '' }}"
+            operator: NotEquals
+            value: ""
+          - key: "{{ element.resources.requests.memory || '' }}"
+            operator: NotEquals
+            value: ""
+        deny:
+          conditions:
+            any:
+            - key: "{{ divide('{{ element.resources.limits.memory }}', '{{ element.resources.requests.memory }}') }}"
+              operator: GreaterThan
+              value: 2.5
--- a/test/cli/test/foreach-preconditions/resources.yaml
+++ b/test/cli/test/foreach-preconditions/resources.yaml
@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend1
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    resources:
+      requests:
+        memory: 100Mi
+      limits:
+        memory: 300Mi
+
+---
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: frontend2
+spec:
+  containers:
+  - name: app
+    image: images.my-company.example/app:v4
+    resources:
+      requests:
+        memory: 100Mi
+      limits:
+        memory: 200Mi