fix: kyverno apply panic for mutate policies (#9492)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-04-08 10:04:25 +00:00 · 2024-01-24 10:37:48 +01:00 · 2024-01-24 10:37:48 +01:00 · 0b7a6a1e3e
commit 0b7a6a1e3e
parent 2c343916eb
7 changed files with 18 additions and 43 deletions
--- a/pkg/policy/generate/auth.go
+++ b/pkg/policy/generate/auth.go
@ -1,4 +1,4 @@
-package generate
+package auth

 import (
 	"context"
--- a/pkg/policy/generate/fake/auth.go
+++ b/pkg/policy/generate/fake/auth.go
--- a/pkg/policy/generate/fake.go
+++ b/pkg/policy/generate/fake.go
@ -3,7 +3,7 @@ package generate
 import (
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"github.com/kyverno/kyverno/pkg/logging"
-	"github.com/kyverno/kyverno/pkg/policy/generate/fake"
+	"github.com/kyverno/kyverno/pkg/policy/auth/fake"
 )

 // FakeGenerate provides implementation for generate rule processing
--- a/pkg/policy/generate/validate.go
+++ b/pkg/policy/generate/validate.go
@ -10,6 +10,7 @@ import (
 	"github.com/kyverno/kyverno/ext/wildcard"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/engine/variables/regex"
+	"github.com/kyverno/kyverno/pkg/policy/auth"
 	"github.com/kyverno/kyverno/pkg/policy/common"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 )
@ -20,7 +21,7 @@ type Generate struct {
 	// rule to hold 'generate' rule specifications
 	rule kyvernov1.Generation
 	// authCheck to check access for operations
-	authCheck Operations
+	authCheck auth.Operations
 	// logger
 	log logr.Logger
 }
@ -30,7 +31,7 @@ func NewGenerateFactory(client dclient.Interface, rule kyvernov1.Generation, use
 	g := Generate{
 		user:      user,
 		rule:      rule,
-		authCheck: NewAuth(client, user, log),
+		authCheck: auth.NewAuth(client, user, log),
 		log:       log,
 	}

--- a/pkg/policy/mutate/auth.go
+++ b/pkg/policy/mutate/auth.go
@ -1,34 +0,0 @@
-package mutate
-
-import (
-	"context"
-
-	"github.com/kyverno/kyverno/pkg/auth"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-)
-
-type authChecker struct {
-	client dclient.Interface
-	user   string
-}
-
-type AuthChecker interface {
-	CanIUpdate(ctx context.Context, gvks, namespace, subresource string) (bool, error)
-	CanIGet(ctx context.Context, gvks, namespace, subresource string) (bool, error)
-}
-
-func newAuthChecker(client dclient.Interface, user string) AuthChecker {
-	return &authChecker{client: client, user: user}
-}
-
-func (a *authChecker) CanIUpdate(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "update", subresource, a.user)
-	ok, _, err := checker.RunAccessCheck(ctx)
-	return ok, err
-}
-
-func (a *authChecker) CanIGet(ctx context.Context, gvk, namespace, subresource string) (bool, error) {
-	checker := auth.NewCanI(a.client.Discovery(), a.client.GetKubeClient().AuthorizationV1().SubjectAccessReviews(), gvk, namespace, "get", subresource, a.user)
-	ok, _, err := checker.RunAccessCheck(ctx)
-	return ok, err
-}
--- a/pkg/policy/mutate/validate.go
+++ b/pkg/policy/mutate/validate.go
@ -6,8 +6,8 @@ import (
 	"strings"

 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/engine/variables/regex"
+	"github.com/kyverno/kyverno/pkg/policy/auth"
 	"github.com/kyverno/kyverno/pkg/utils/api"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"go.uber.org/multierr"
@ -18,15 +18,15 @@ import (
 type Mutate struct {
 	mutation    kyvernov1.Mutation
 	user        string
-	authChecker AuthChecker
+	authChecker auth.Operations
 }

 // NewMutateFactory returns a new instance of Mutate validation checker
-func NewMutateFactory(m kyvernov1.Mutation, client dclient.Interface, user string) *Mutate {
+func NewMutateFactory(m kyvernov1.Mutation, authChecker auth.Operations, user string) *Mutate {
 	return &Mutate{
 		mutation:    m,
 		user:        user,
-		authChecker: newAuthChecker(client, user),
+		authChecker: authChecker,
 	}
 }

--- a/pkg/validation/policy/actions.go
+++ b/pkg/validation/policy/actions.go
@ -9,6 +9,8 @@ import (
 	authChecker "github.com/kyverno/kyverno/pkg/auth/checker"
 	"github.com/kyverno/kyverno/pkg/clients/dclient"
 	"github.com/kyverno/kyverno/pkg/logging"
+	"github.com/kyverno/kyverno/pkg/policy/auth"
+	"github.com/kyverno/kyverno/pkg/policy/auth/fake"
 	"github.com/kyverno/kyverno/pkg/policy/generate"
 	"github.com/kyverno/kyverno/pkg/policy/mutate"
 	"github.com/kyverno/kyverno/pkg/policy/validate"
@ -33,7 +35,13 @@ func validateActions(idx int, rule *kyvernov1.Rule, client dclient.Interface, mo
 	var checker Validation
 	// Mutate
 	if rule.HasMutate() {
-		checker = mutate.NewMutateFactory(rule.Mutation, client, username)
+		var authChecker auth.Operations
+		if mock {
+			authChecker = fake.NewFakeAuth()
+		} else {
+			authChecker = auth.NewAuth(client, username, logging.GlobalLogger())
+		}
+		checker = mutate.NewMutateFactory(rule.Mutation, authChecker, username)
 		if path, err := checker.Validate(context.TODO()); err != nil {
 			return "", fmt.Errorf("path: spec.rules[%d].mutate.%s.: %v", idx, path, err)
 		}