Policy Validation check for onPolicyUpdate flag (#3814)

* policy validation check for OnPolicyUpdate flag * add validation check for onupdatepolicy flag
2025-03-31 03:45:17 +00:00 · 2022-05-05 18:34:49 +05:30 · 2022-05-05 18:34:49 +05:30 · 13d8a96f92
commit 13d8a96f92
parent 8a9a98d8b5
3 changed files with 139 additions and 0 deletions
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@ -148,6 +148,11 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
 	return *s.Background
 }

+// GetOnPolicyUpdate return OnPolicyUpdate set value
+func (s *Spec) GetOnPolicyUpdate() bool {
+	return s.OnPolicyUpdate
+}
+
 // GetFailurePolicy returns the failure policy to be applied
 func (s *Spec) GetFailurePolicy() FailurePolicyType {
 	if s.FailurePolicy == nil {
--- a/pkg/policy/on_update_policy_test.go
+++ b/pkg/policy/on_update_policy_test.go
@ -0,0 +1,109 @@
+package policy
+
+import (
+	"encoding/json"
+	"testing"
+
+	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
+	"gotest.tools/assert"
+)
+
+func Test_valid_onUpdatePolicyPolicy(t *testing.T) {
+	rawPolicy := []byte(`{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "test-gen",
+		  "annotations": {
+			"policies.kyverno.io/category": "Best Practices"
+		  }
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "match": {
+				"resources": {
+				  "kinds": [
+					"Namespace"
+				  ]
+				}
+			  },
+			  "name": "test-gen",
+			  "preconditions": {
+				"all": [
+				  {
+					"key": "{{request.object.metadata.name}}",
+					"operator": "NotEquals",
+					"value": ""
+				  }
+				]
+			  },
+			  "validate": {
+				"message": "The only label that may be removed or changed is breakglass.",
+				"deny": {
+				  "conditions": {
+					"any": [
+					  {
+						"key": "{{ request.object.metadata.labels  |  merge(@, {breakglass:null}) }}",
+						"operator": "NotEquals",
+						"value": "{{ request.oldObject.metadata.labels  |  merge(@, {breakglass:null}) }}"
+					  }
+					]
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }`)
+
+	var policy kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	err = ValidateOnPolicyUpdate(&policy, true)
+	assert.NilError(t, err)
+}
+
+func Test_invalid_onUpdatePolicyPolicy(t *testing.T) {
+	rawPolicy := []byte(`{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+		  "name": "who-created-this"
+		},
+		"spec": {
+		  "rules": [
+			{
+			  "name": "who-created-this",
+			  "match": {
+				"any": [
+				  {
+					"resources": {
+					  "kinds": [
+						"Pod"
+					  ]
+					}
+				  }
+				]
+			  },
+			  "mutate": {
+				"patchStrategicMerge": {
+				  "metadata": {
+					"labels": {
+					  "created-by": "{{request.userInfo.username}}"
+					}
+				  }
+				}
+			  }
+			}
+		  ]
+		}
+	  }`)
+
+	var policy kyverno.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+	err = ValidateOnPolicyUpdate(&policy, true)
+	assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.onPolicyUpdate=false to disable update policy mode for this policy rule: variable \"{{request.userInfo.username}} is not allowed ")
+}
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -82,6 +82,7 @@ func Validate(policy kyverno.PolicyInterface, client dclient.Interface, mock boo
 	namespaced := policy.IsNamespaced()
 	spec := policy.GetSpec()
 	background := spec.BackgroundProcessingEnabled()
+	onPolicyUpdate := spec.GetOnPolicyUpdate()

 	var errs field.ErrorList
 	specPath := field.NewPath("spec")
@ -91,6 +92,13 @@ func Validate(policy kyverno.PolicyInterface, client dclient.Interface, mock boo
 		return nil, err
 	}

+	if onPolicyUpdate {
+		err := ValidateOnPolicyUpdate(policy, onPolicyUpdate)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	var res []*metav1.APIResourceList
 	clusterResources := sets.NewString()
 	if !mock && namespaced {
@ -393,6 +401,23 @@ func hasInvalidVariables(policy kyverno.PolicyInterface, background bool) error
 	return nil
 }

+func ValidateOnPolicyUpdate(p kyverno.PolicyInterface, onPolicyUpdate bool) error {
+	vars := hasVariables(p)
+	if len(vars) == 0 {
+		return nil
+	}
+
+	if err := hasInvalidVariables(p, onPolicyUpdate); err != nil {
+		return fmt.Errorf("policy contains invalid variables: %s", err.Error())
+	}
+
+	if err := containsUserVariables(p, vars); err != nil {
+		return fmt.Errorf("only select variables are allowed in on policy update. Set spec.onPolicyUpdate=false to disable update policy mode for this policy rule: %s ", err)
+	}
+
+	return nil
+}
+
 // for now forbidden sections are match, exclude and
 func ruleForbiddenSectionsHaveVariables(rule *kyverno.Rule) error {
 	var err error