add anyPattern in crd definition

2025-03-28 10:28:36 +00:00 · 2019-08-20 17:56:02 -07:00 · 2019-08-20 17:56:02 -07:00 · 124b105736
commit 124b105736
parent 4d1d16344d
4 changed files with 35 additions and 7 deletions
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@ -145,13 +145,13 @@ spec:
                              AnyValue: {}
                  validate:
                    type: object
-                    required:
-                    - pattern
                    properties:
                      message:
                        type: string
                      pattern:
                        AnyValue: {}
+                      anyPattern:
+                        AnyValue: {}
                  generate:
                    type: object
                    required:
--- a/definitions/install_debug.yaml
+++ b/definitions/install_debug.yaml
@ -145,13 +145,13 @@ spec:
                              AnyValue: {}
                  validate:
                    type: object
-                    required:
-                    - pattern
                    properties:
                      message:
                        type: string
                      pattern:
                        AnyValue: {}
+                      anyPattern:
+                        AnyValue: {}
                  generate:
                    type: object
                    required:
--- a/pkg/api/kyverno/v1alpha1/types.go
+++ b/pkg/api/kyverno/v1alpha1/types.go
@ -68,8 +68,9 @@ type Patch struct {

 // Validation describes the way how Validating Webhook will check the resource on creation
 type Validation struct {
-	Message string      `json:"message"`
-	Pattern interface{} `json:"pattern"`
+	Message    string        `json:"message"`
+	Pattern    interface{}   `json:"pattern"`
+	AnyPattern []interface{} `json:"anyPattern"`
 }

 // Generation describes which resources will be created when other resource is created
--- a/pkg/webhooks/policyvalidation.go
+++ b/pkg/webhooks/policyvalidation.go
@ -3,6 +3,7 @@ package webhooks
 import (
 	"encoding/json"
 	"fmt"
+	"reflect"

 	"github.com/golang/glog"
 	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1alpha1"
@ -28,7 +29,7 @@ func (ws *WebhookServer) HandlePolicyValidation(request *v1beta1.AdmissionReques
 	}

 	if request.Operation != v1beta1.Delete {
-		admissionResp = ws.validateUniqueRuleName(policy)
+		admissionResp = ws.validatePolicy(policy)
 	}

 	if admissionResp.Allowed {
@ -38,6 +39,32 @@ func (ws *WebhookServer) HandlePolicyValidation(request *v1beta1.AdmissionReques
 	return admissionResp
 }

+func (ws *WebhookServer) validatePolicy(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
+	admissionResp := ws.validateUniqueRuleName(policy)
+	if !admissionResp.Allowed {
+		return admissionResp
+	}
+
+	return ws.validateOverlayPattern(policy)
+}
+
+func (ws *WebhookServer) validateOverlayPattern(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
+	for _, rule := range policy.Spec.Rules {
+		if !reflect.DeepEqual(rule.Validation, kyverno.Validation{}) {
+			if rule.Validation.Pattern == nil && rule.Validation.AnyPattern == nil {
+				return &v1beta1.AdmissionResponse{
+					Allowed: false,
+					Result: &metav1.Status{
+						Message: "Invalid policy, either pattern or anyPattern found in policy spec",
+					},
+				}
+			}
+		}
+	}
+
+	return &v1beta1.AdmissionResponse{Allowed: true}
+}
+
 // Verify if the Rule names are unique within a policy
 func (ws *WebhookServer) validateUniqueRuleName(policy *kyverno.Policy) *v1beta1.AdmissionResponse {
 	// =======