Check Any and All ResourceFilters during policymutation (#2373)

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

pkg/policymutation/policymutation.go

@@ -470,8 +470,22 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr.
 
 	match := rule.MatchResources
 	exclude := rule.ExcludeResources
-	if !utils.ContainsString(match.ResourceDescription.Kinds, "Pod") ||
-		(len(exclude.ResourceDescription.Kinds) != 0 && !utils.ContainsString(exclude.ResourceDescription.Kinds, "Pod")) {
+	matchResourceDescriptionsKinds := match.ResourceDescription.Kinds
+	for _, value := range match.All {
+		matchResourceDescriptionsKinds = append(matchResourceDescriptionsKinds, value.ResourceDescription.Kinds...)
+	}
+	for _, value := range match.Any {
+		matchResourceDescriptionsKinds = append(matchResourceDescriptionsKinds, value.ResourceDescription.Kinds...)
+	}
+	excludeResourceDescriptionsKinds := exclude.ResourceDescription.Kinds
+	for _, value := range exclude.All {
+		excludeResourceDescriptionsKinds = append(excludeResourceDescriptionsKinds, value.ResourceDescription.Kinds...)
+	}
+	for _, value := range exclude.Any {
+		excludeResourceDescriptionsKinds = append(excludeResourceDescriptionsKinds, value.ResourceDescription.Kinds...)
+	}
+	if !utils.ContainsString(matchResourceDescriptionsKinds, "Pod") ||
+		(len(excludeResourceDescriptionsKinds) != 0 && !utils.ContainsString(excludeResourceDescriptionsKinds, "Pod")) {
 		return kyvernoRule{}
 	}
 

pkg/policymutation/policymutation_test.go

@@ -25,6 +25,44 @@ func currentDir() (string, error) {
 	return filepath.Join(homedir, "github.com/kyverno/kyverno"), nil
 }
 
+func Test_Any(t *testing.T) {
+	dir, err := os.Getwd()
+	baseDir := filepath.Dir(filepath.Dir(dir))
+	assert.NilError(t, err)
+	file, err := ioutil.ReadFile(baseDir + "/test/best_practices/disallow_bind_mounts.yaml")
+	if err != nil {
+		t.Log(err)
+	}
+	policies, err := utils.GetPolicy(file)
+	if err != nil {
+		t.Log(err)
+	}
+
+	policy := policies[0]
+	policy.Spec.Rules[0].MatchResources.Any = kyverno.ResourceFilters{
+		{
+			ResourceDescription: kyverno.ResourceDescription{
+				Kinds: []string{"Pod"},
+			},
+		},
+	}
+
+	rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log)
+	if len(errs) != 0 {
+		t.Log(errs)
+	}
+
+	expectedPatches := [][]byte{
+		[]byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-validate-hostPath","match":{"any":[{"resources":{"kinds":["Pod"]}}],"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"validate":{"message":"Host path volumes are not allowed","pattern":{"spec":{"template":{"spec":{"=(volumes)":[{"X(hostPath)":"null"}]}}}}}}}`),
+		[]byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-validate-hostPath","match":{"any":[{"resources":{"kinds":["Pod"]}}],"resources":{"kinds":["CronJob"]}},"validate":{"message":"Host path volumes are not allowed","pattern":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"=(volumes)":[{"X(hostPath)":"null"}]}}}}}}}}}`),
+	}
+
+	for i, ep := range expectedPatches {
+		assert.Equal(t, string(rulePatches[i]), string(ep),
+			fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep))
+	}
+}
+
 func Test_Exclude(t *testing.T) {
 	dir, err := os.Getwd()
 	baseDir := filepath.Dir(filepath.Dir(dir))
@@ -51,7 +89,10 @@ func Test_Exclude(t *testing.T) {
 		[]byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-validate-hostPath","match":{"resources":{"kinds":["CronJob"]}},"exclude":{"resources":{"namespaces":["fake-namespce"]}},"validate":{"message":"Host path volumes are not allowed","pattern":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"=(volumes)":[{"X(hostPath)":"null"}]}}}}}}}}}`),
 	}
 
-	assert.DeepEqual(t, rulePatches, expectedPatches)
+	for i, ep := range expectedPatches {
+		assert.Equal(t, string(rulePatches[i]), string(ep),
+			fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep))
+	}
 }
 
 func Test_CronJobOnly(t *testing.T) {