fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots (#8377)

* fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2023-09-13 16:04:39 +02:00 · 2023-09-13 16:04:39 +02:00 · 14ab6b72a2
commit 14ab6b72a2
parent aeb5e01c60
9 changed files with 227 additions and 1 deletions
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -204,6 +204,7 @@ func (p *PolicyProcessor) makePolicyContext(
 		}
 		resourceValues = vals
 	}
+	// TODO: this is kind of buggy, we should read that from the json context
 	switch resourceValues["request.operation"] {
 	case "DELETE":
 		operation = kyvernov1.Delete
@ -219,9 +220,13 @@ func (p *PolicyProcessor) makePolicyContext(
 	)
 	if err != nil {
 		log.Log.Error(err, "failed to create policy context")
+		return nil, fmt.Errorf("failed to create policy context (%w)", err)
 	}
 	if operation == kyvernov1.Update {
 		policyContext = policyContext.WithOldResource(resource)
+		if err := policyContext.JSONContext().AddOldResource(resource.Object); err != nil {
+			return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
+		}
 	}
 	policyContext = policyContext.
 		WithPolicy(policy).
@ -230,7 +235,70 @@ func (p *PolicyProcessor) makePolicyContext(
 	for key, value := range resourceValues {
 		err = policyContext.JSONContext().AddVariable(key, value)
 		if err != nil {
-			log.Log.Error(err, "failed to add variable to context")
+			log.Log.Error(err, "failed to add variable to context", "key", key, "value", value)
+			return nil, fmt.Errorf("failed to add variable to context %s (%w)", key, err)
+		}
+	}
+	// we need to get the resources back from the context to account for injected variables
+	switch operation {
+	case kyvernov1.Create:
+		ret, err := policyContext.JSONContext().Query("request.object")
+		if err != nil {
+			return nil, err
+		}
+		if ret == nil {
+			policyContext = policyContext.WithNewResource(unstructured.Unstructured{})
+		} else {
+			object, ok := ret.(map[string]interface{})
+			if !ok {
+				return nil, fmt.Errorf("the object retrieved from the json context is not valid")
+			}
+			policyContext = policyContext.WithNewResource(unstructured.Unstructured{Object: object})
+		}
+	case kyvernov1.Update:
+		{
+			ret, err := policyContext.JSONContext().Query("request.object")
+			if err != nil {
+				return nil, err
+			}
+			if ret == nil {
+				policyContext = policyContext.WithNewResource(unstructured.Unstructured{})
+			} else {
+				object, ok := ret.(map[string]interface{})
+				if !ok {
+					return nil, fmt.Errorf("the object retrieved from the json context is not valid")
+				}
+				policyContext = policyContext.WithNewResource(unstructured.Unstructured{Object: object})
+			}
+		}
+		{
+			ret, err := policyContext.JSONContext().Query("request.oldObject")
+			if err != nil {
+				return nil, err
+			}
+			if ret == nil {
+				policyContext = policyContext.WithOldResource(unstructured.Unstructured{})
+			} else {
+				object, ok := ret.(map[string]interface{})
+				if !ok {
+					return nil, fmt.Errorf("the object retrieved from the json context is not valid")
+				}
+				policyContext = policyContext.WithOldResource(unstructured.Unstructured{Object: object})
+			}
+		}
+	case kyvernov1.Delete:
+		ret, err := policyContext.JSONContext().Query("request.oldObject")
+		if err != nil {
+			return nil, err
+		}
+		if ret == nil {
+			policyContext = policyContext.WithOldResource(unstructured.Unstructured{})
+		} else {
+			object, ok := ret.(map[string]interface{})
+			if !ok {
+				return nil, fmt.Errorf("the object retrieved from the json context is not valid")
+			}
+			policyContext = policyContext.WithOldResource(unstructured.Unstructured{Object: object})
 		}
 	}
 	return policyContext, nil
--- a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-modify-platform-label
+  annotations:
+    policies.kyverno.io/title: Deny Modification of platform owned roles
+    policies.kyverno.io/category: Hardening
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Role
+    policies.kyverno.io/description: >-
+      Restrict modification of platform owned roles to admins only
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+    - name: deny-modify-platform-role
+      match:
+        any:
+          - resources:
+              kinds:
+                - Role
+      preconditions:
+        any:
+          - key: '{{ request.object.metadata.annotations."hpedevops.net/platform" || "" }}'
+            operator: Equals
+            value: 'true'
+      validate:
+        message: >-
+            Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users.
+        deny: {}
--- a/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
@ -0,0 +1,25 @@
+name: deny-modify-platform-label-2
+policies:
+- deny-modify-platform-label.yaml
+resources:
+- resource.yaml
+variables: variables.yaml
+results:
+- kind: Role
+  policy: deny-modify-platform-label
+  resources:
+  - my-role-with-platform
+  result: fail
+  rule: deny-modify-platform-role
+- kind: Role
+  policy: deny-modify-platform-label
+  resources:
+  - my-role-without-platform
+  result: skip
+  rule: deny-modify-platform-role
+- kind: Role
+  policy: deny-modify-platform-label
+  resources:
+  - my-role-with-platform-false
+  result: skip
+  rule: deny-modify-platform-role
--- a/test/cli/test/deny-modify-platform-label-2/resource.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/resource.yaml
@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role-with-platform
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role-without-platform
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role-with-platform-false
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - watch
--- a/test/cli/test/deny-modify-platform-label-2/variables.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/variables.yaml
@ -0,0 +1,11 @@
+policies:
+  - name: deny-modify-platform-label
+    resources:
+      - name: my-role-with-platform
+        values:
+          request.object.metadata.annotations."hpedevops.net/platform": 'true'
+  - name: deny-modify-platform-label
+    resources:
+      - name: my-role-with-platform-false
+        values:
+          request.object.metadata.annotations."hpedevops.net/platform": 'false'
--- a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-modify-platform-label
+  annotations:
+    policies.kyverno.io/title: Deny Modification of platform owned roles
+    policies.kyverno.io/category: Hardening
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Role
+    policies.kyverno.io/description: >-
+      Restrict modification of platform owned roles to admins only
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+    - name: deny-modify-platform-role
+      match:
+        any:
+          - resources:
+              kinds:
+                - Role
+              annotations:
+                hpedevops.net/platform: 'true'
+      validate:
+        message: >-
+            Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users.
+        deny: {}
--- a/test/cli/test/deny-modify-platform-label-3/kyverno-test.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/kyverno-test.yaml
@ -0,0 +1,13 @@
+name: deny-modify-platform-label-2
+policies:
+- deny-modify-platform-label.yaml
+resources:
+- resource.yaml
+variables: variables.yaml
+results:
+- kind: Role
+  policy: deny-modify-platform-label
+  resources:
+  - my-role-with-platform
+  result: fail
+  rule: deny-modify-platform-role
--- a/test/cli/test/deny-modify-platform-label-3/resource.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/resource.yaml
@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role-with-platform
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - watch
--- a/test/cli/test/deny-modify-platform-label-3/variables.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/variables.yaml
@ -0,0 +1,6 @@
+policies:
+  - name: deny-modify-platform-label
+    resources:
+      - name: my-role-with-platform
+        values:
+          request.object.metadata.annotations."hpedevops.net/platform": 'true'