diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index fd6acfdfb8..334787959b 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -9,6 +9,8 @@ import ( "strconv" "strings" + "github.com/minio/minio/pkg/wildcard" + "github.com/nirmata/kyverno/pkg/openapi" kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1" @@ -54,8 +56,8 @@ func Validate(p kyverno.ClusterPolicy) error { return fmt.Errorf("path: spec.rules[%d]: %v", i, err) } - if err := validateMatchExcludeConflict(rule); err != nil { - return fmt.Errorf("path: spec.rules[%d]: %v", i, err) + if doesMatchAndExcludeConflict(rule) { + return fmt.Errorf("path: spec.rules[%d]: rule is matching an empty set", i) } // Operation Validation @@ -95,7 +97,9 @@ func Validate(p kyverno.ClusterPolicy) error { return nil } -func validateMatchExcludeConflict(rule kyverno.Rule) error { +// doesMatchAndExcludeConflict checks if the resultant +// of match and exclude block is not an empty set +func doesMatchAndExcludeConflict(rule kyverno.Rule) bool { excludeRoles := make(map[string]bool) for _, role := range rule.ExcludeResources.UserInfo.Roles { @@ -131,59 +135,73 @@ func validateMatchExcludeConflict(rule kyverno.Rule) error { } } - for _, role := range rule.MatchResources.UserInfo.Roles { - if excludeRoles[role] { - return fmt.Errorf("excluding role '%v' while also matching it - please remove from both match and exclude", role) + if len(excludeRoles) > 0 { + for _, role := range rule.MatchResources.UserInfo.Roles { + if !excludeRoles[role] { + return false + } } } - for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles { - if excludeClusterRoles[clusterRole] { - return fmt.Errorf("excluding cluster role '%v' while also matching it - please remove from both match and exclude", clusterRole) + if len(excludeClusterRoles) > 0 { + for _, clusterRole := range rule.MatchResources.UserInfo.ClusterRoles { + if !excludeClusterRoles[clusterRole] { + return false + } } } - for _, subject := range rule.MatchResources.UserInfo.Subjects { - subjectRaw, _ := json.Marshal(subject) - if excludeSubjects[string(subjectRaw)] { - return fmt.Errorf("excluding subject '%v' while also matching it - please remove from both match and exclude", string(subjectRaw)) + if len(excludeSubjects) > 0 { + for _, subject := range rule.MatchResources.UserInfo.Subjects { + subjectRaw, _ := json.Marshal(subject) + if !excludeSubjects[string(subjectRaw)] { + return false + } } } - if rule.MatchResources.ResourceDescription.Name != "" { - if rule.MatchResources.ResourceDescription.Name == rule.ExcludeResources.ResourceDescription.Name { - return fmt.Errorf("excluding resource name '%v' while also matching it - please remove from both match and exclude", rule.MatchResources.ResourceDescription.Name) + if rule.ExcludeResources.ResourceDescription.Name != "" { + if !wildcard.Match(rule.ExcludeResources.ResourceDescription.Name, rule.MatchResources.ResourceDescription.Name) { + return false } } - for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces { - if excludeNamespaces[namespace] { - return fmt.Errorf("excluding resource namespace '%v' while also matching it - please remove from both match and exclude", namespace) + if len(excludeNamespaces) > 1 { + for _, namespace := range rule.MatchResources.ResourceDescription.Namespaces { + if !excludeNamespaces[namespace] { + return false + } } } - for _, kind := range rule.MatchResources.ResourceDescription.Kinds { - if excludeKinds[kind] { - return fmt.Errorf("excluding resource kind '%v' while also matching it - please remove from both match and exclude", kind) + if len(excludeKinds) > 1 { + for _, kind := range rule.MatchResources.ResourceDescription.Kinds { + if !excludeKinds[kind] { + return false + } } } if rule.MatchResources.ResourceDescription.Selector != nil && rule.ExcludeResources.ResourceDescription.Selector != nil { - for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions { - matchExpressionRaw, _ := json.Marshal(matchExpression) - if excludeMatchExpressions[string(matchExpressionRaw)] { - return fmt.Errorf("excluding resource match expression '%v' while also matching it - please remove from both match and exclude", string(matchExpressionRaw)) + if len(excludeMatchExpressions) > 1 { + for _, matchExpression := range rule.MatchResources.ResourceDescription.Selector.MatchExpressions { + matchExpressionRaw, _ := json.Marshal(matchExpression) + if excludeMatchExpressions[string(matchExpressionRaw)] { + return false + } } } - for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels { - if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] == value { - return fmt.Errorf("excluding resource label '%v' while also matching it - please remove from both match and exclude", label) + if len(rule.ExcludeResources.ResourceDescription.Selector.MatchLabels) > 1 { + for label, value := range rule.MatchResources.ResourceDescription.Selector.MatchLabels { + if rule.ExcludeResources.ResourceDescription.Selector.MatchLabels[label] != value { + return false + } } } } - return nil + return true } func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool { diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index 9f91ab8025..787908a76c 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -1633,7 +1633,7 @@ func Test_validateMatchExcludeConflict(t *testing.T) { for i, testcase := range testcases { var rule kyverno.Rule _ = json.Unmarshal(testcase.rule, &rule) - err := validateMatchExcludeConflict(rule) + err := doesMatchAndExcludeConflict(rule) var gotError bool if err != nil {