1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

feat: support variables for CEL in Kyverno policies (#8103)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-08-24 13:00:27 +03:00 committed by GitHub
parent 967536db7d
commit 10172ae8e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 963 additions and 0 deletions

View file

@ -447,6 +447,12 @@ type CEL struct {
// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
// +optional
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
// Variables contain definitions of variables that can be used in composition of other expressions.
// Each variable is defined as a named CEL expression.
// The variables defined here will be available under `variables` in other expressions of the policy.
// +optional
Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
}
func (c *CEL) HasParam() bool {

View file

@ -238,6 +238,11 @@ func (in *CEL) DeepCopyInto(out *CEL) {
*out = make([]v1alpha1.AuditAnnotation, len(*in))
copy(*out, *in)
}
if in.Variables != nil {
in, out := &in.Variables, &out.Variables
*out = make([]v1alpha1.Variable, len(*in))
copy(*out, *in)
}
return
}

View file

@ -6515,6 +6515,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -10827,6 +10856,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -14857,6 +14916,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -19223,6 +19311,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -23618,6 +23736,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -27931,6 +28078,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -31962,6 +32139,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -36328,6 +36534,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or

View file

@ -2698,6 +2698,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -7010,6 +7039,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -11040,6 +11099,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -15406,6 +15494,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or

View file

@ -2699,6 +2699,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -7012,6 +7041,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -11043,6 +11102,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -15409,6 +15497,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or

View file

@ -6718,6 +6718,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -11030,6 +11059,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -15060,6 +15119,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -19426,6 +19514,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -23821,6 +23939,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -28134,6 +28281,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or
@ -32165,6 +32342,35 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression that
will be evaluated as the value of the variable.
The CEL expression has access to the same identifiers
as the CEL expressions in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier and
unique among all variables. The variable can
be accessed in other expressions through `variables`
For example, if name is "foo", the variable
will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or fail
@ -36531,6 +36737,36 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
description: Variables contain definitions of variables
that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under
`variables` in other expressions of the policy.
items:
description: Variable is the definition of a variable
that is used for composition.
properties:
expression:
description: Expression is the expression
that will be evaluated as the value of the
variable. The CEL expression has access
to the same identifiers as the CEL expressions
in Validation.
type: string
name:
description: Name is the name of the variable.
The name must be a valid CEL identifier
and unique among all variables. The variable
can be accessed in other expressions through
`variables` For example, if name is "foo",
the variable will be available as `variables.foo`
type: string
required:
- expression
- name
type: object
type: array
type: object
deny:
description: Deny defines conditions used to pass or

View file

@ -1066,6 +1066,22 @@ Kubernetes admissionregistration/v1alpha1.ParamRef
<p>AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.</p>
</td>
</tr>
<tr>
<td>
<code>variables</code><br/>
<em>
<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#variable-v1alpha1-admissionregistration">
[]Kubernetes admissionregistration/v1alpha1.Variable
</a>
</em>
</td>
<td>
<em>(Optional)</em>
<p>Variables contain definitions of variables that can be used in composition of other expressions.
Each variable is defined as a named CEL expression.
The variables defined here will be available under <code>variables</code> in other expressions of the policy.</p>
</td>
</tr>
</tbody>
</table>
<hr />

View file

@ -29,6 +29,7 @@ type CELApplyConfiguration struct {
ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty"`
ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty"`
AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty"`
Variables []v1alpha1.Variable `json:"variables,omitempty"`
}
// CELApplyConfiguration constructs an declarative configuration of the CEL type for use with
@ -72,3 +73,13 @@ func (b *CELApplyConfiguration) WithAuditAnnotations(values ...v1alpha1.AuditAnn
}
return b
}
// WithVariables adds the given value to the Variables field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Variables field.
func (b *CELApplyConfiguration) WithVariables(values ...v1alpha1.Variable) *CELApplyConfiguration {
for i := range values {
b.Variables = append(b.Variables, values[i])
}
return b
}

View file

@ -68,6 +68,7 @@ func (h validateCELHandler) Process(
// extract preconditions written as CEL expressions
matchConditions := rule.CELPreconditions
// extract CEL expressions used in validations and audit annotations
variables := rule.Validation.CEL.Variables
validations := rule.Validation.CEL.Expressions
auditAnnotations := rule.Validation.CEL.AuditAnnotations
@ -75,6 +76,7 @@ func (h validateCELHandler) Process(
validateExpressions := convertValidations(validations)
messageExpressions := convertMessageExpressions(validations)
auditExpressions := convertAuditAnnotations(auditAnnotations)
variableExpressions := convertVariables(variables)
// get the parameter resource if exists
if hasParam && h.client != nil {
@ -106,6 +108,7 @@ func (h validateCELHandler) Process(
if err != nil {
return resource, handlers.WithError(rule, engineapi.Validation, "Error while creating composited compiler", err)
}
compositedCompiler.CompileAndStoreVariables(variableExpressions, optionalVars, environment.StoredExpressions)
filter := compositedCompiler.Compile(validateExpressions, optionalVars, environment.StoredExpressions)
messageExpressionfilter := compositedCompiler.Compile(messageExpressions, optionalVars, environment.StoredExpressions)
auditAnnotationFilter := compositedCompiler.Compile(auditExpressions, optionalVars, environment.StoredExpressions)
@ -206,3 +209,14 @@ func convertMatchExpressions(matchExpressions []admissionregistrationv1.MatchCon
}
return celExpressionAccessor
}
func convertVariables(variables []admissionregistrationv1alpha1.Variable) []cel.NamedExpressionAccessor {
namedExpressions := make([]cel.NamedExpressionAccessor, len(variables))
for i, variable := range variables {
namedExpressions[i] = &validatingadmissionpolicy.Variable{
Name: variable.Name,
Expression: variable.Expression,
}
}
return namedExpressions
}

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- ns.yaml
assert:
- ns.yaml

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

View file

@ -0,0 +1,7 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: deployments-pass.yaml
shouldFail: false
- file: deployments-fail.yaml
shouldFail: true

View file

@ -0,0 +1,20 @@
## Description
This test validates the use of variables in validate.cel subrule.
This test creates the following:
1. Two namespaces: `production-ns` and `staging-ns`
2. A policy that enforces that all containers of a deployment has the image repo match the environment label of its namespace. Except for "exempt" deployments, or any containers that do not belong to the "example.com" organization For example, if the namespace has a label of {"environment": "staging"}, all container images must be either staging.example.com/* or do not contain "example.com" at all, unless the deployment has {"exempt": "true"} label.
3. Six deployments.
## Expected Behavior
The following deployments is blocked:
1. `deployment-fail-01`: It intended to be created in namespace `production-ns` but its container image is `staging.example.com/nginx` which violates the validation rule.
2. `deployment-fail-02`: It intended to be created in namespace `staging-ns` but its container image is `example.com/nginx` which violates the validation rule.
3. `deployment-fail-03`: It intended to be created in namespace `staging-ns` and it has a label of `exempt: "false"` but its container image is `example.com/nginx` which violates the validation rule.
The following deployments is created:
1. `deployment-pass-01`, It is created in namespace `production-ns` and its container image is `prod.example.com/nginx`.
2. `deployment-pass-02`, It is created in namespace `staging-ns` and its container image is `staging.example.com/nginx`.
3. `deployment-pass-03`, It is created in namespace `staging-ns` and its container image is `example.com/nginx` but it has a label of `exempt: "true"` so it passes the validation rule.

View file

@ -0,0 +1,58 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-fail-01
namespace: production-ns
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: staging.example.com/nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-fail-02
namespace: staging-ns
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: example.com/nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-fail-03
namespace: staging-ns
labels:
exempt: "false"
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: example.com/nginx

View file

@ -0,0 +1,58 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-pass-01
namespace: production-ns
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: prod.example.com/nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-pass-02
namespace: staging-ns
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: staging.example.com/nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-pass-03
namespace: staging-ns
labels:
exempt: "true"
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container2
image: example.com/nginx

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Namespace
metadata:
name: production-ns
---
apiVersion: v1
kind: Namespace
metadata:
name: staging-ns
labels:
environment: staging

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: image-matches-namespace-environment.policy.example.com
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,28 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: image-matches-namespace-environment.policy.example.com
spec:
validationFailureAction: Enforce
background: false
rules:
- name: image-matches-namespace-environment
match:
any:
- resources:
kinds:
- Deployment
validate:
cel:
variables:
- name: environment
expression: "'environment' in namespaceObject.metadata.labels ? namespaceObject.metadata.labels['environment'] : 'prod'"
- name: exempt
expression: "has(object.metadata.labels) && 'exempt' in object.metadata.labels && object.metadata.labels['exempt'] == 'true'"
- name: containers
expression: "object.spec.template.spec.containers"
- name: containersToCheck
expression: "variables.containers.filter(c, c.image.contains('example.com/'))"
expressions:
- expression: "variables.exempt || variables.containersToCheck.all(c, c.image.startsWith(variables.environment + '.'))"
messageExpression: "'only ' + variables.environment + ' images are allowed in namespace ' + namespaceObject.metadata.name"