fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots (#8377)

* fix: Kyverno variable substitution might not work correctly if the top level variable key contains dots Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-01-20 18:52:16 +00:00 · 2023-09-13 16:04:39 +02:00 · 2023-09-13 16:04:39 +02:00 · 14ab6b72a2
commit 14ab6b72a2
parent aeb5e01c60
9 changed files with 227 additions and 1 deletions
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -204,6 +204,7 @@ func (p *PolicyProcessor) makePolicyContext(
 		}
 		resourceValues = vals
 	}
 	// TODO: this is kind of buggy, we should read that from the json context
 	switch resourceValues["request.operation"] {
 	case "DELETE":
 		operation = kyvernov1.Delete
@ -219,9 +220,13 @@ func (p *PolicyProcessor) makePolicyContext(
 	)
 	if err != nil {
 		log.Log.Error(err, "failed to create policy context")
 		return nil, fmt.Errorf("failed to create policy context (%w)", err)
 	}
 	if operation == kyvernov1.Update {
 		policyContext = policyContext.WithOldResource(resource)
 		if err := policyContext.JSONContext().AddOldResource(resource.Object); err != nil {
 			return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
 		}
 	}
 	policyContext = policyContext.
 		WithPolicy(policy).
@ -230,7 +235,70 @@ func (p *PolicyProcessor) makePolicyContext(
 	for key, value := range resourceValues {
 		err = policyContext.JSONContext().AddVariable(key, value)
 		if err != nil {
-			log.Log.Error(err, "failed to add variable to context")
+			log.Log.Error(err, "failed to add variable to context", "key", key, "value", value)
 			return nil, fmt.Errorf("failed to add variable to context %s (%w)", key, err)
 		}
 	}
 	// we need to get the resources back from the context to account for injected variables
 	switch operation {
 	case kyvernov1.Create:
 		ret, err := policyContext.JSONContext().Query("request.object")
 		if err != nil {
 			return nil, err
 		}
 		if ret == nil {
 			policyContext = policyContext.WithNewResource(unstructured.Unstructured{})
 		} else {
 			object, ok := ret.(map[string]interface{})
 			if !ok {
 				return nil, fmt.Errorf("the object retrieved from the json context is not valid")
 			}
 			policyContext = policyContext.WithNewResource(unstructured.Unstructured{Object: object})
 		}
 	case kyvernov1.Update:
 		{
 			ret, err := policyContext.JSONContext().Query("request.object")
 			if err != nil {
 				return nil, err
 			}
 			if ret == nil {
 				policyContext = policyContext.WithNewResource(unstructured.Unstructured{})
 			} else {
 				object, ok := ret.(map[string]interface{})
 				if !ok {
 					return nil, fmt.Errorf("the object retrieved from the json context is not valid")
 				}
 				policyContext = policyContext.WithNewResource(unstructured.Unstructured{Object: object})
 			}
 		}
 		{
 			ret, err := policyContext.JSONContext().Query("request.oldObject")
 			if err != nil {
 				return nil, err
 			}
 			if ret == nil {
 				policyContext = policyContext.WithOldResource(unstructured.Unstructured{})
 			} else {
 				object, ok := ret.(map[string]interface{})
 				if !ok {
 					return nil, fmt.Errorf("the object retrieved from the json context is not valid")
 				}
 				policyContext = policyContext.WithOldResource(unstructured.Unstructured{Object: object})
 			}
 		}
 	case kyvernov1.Delete:
 		ret, err := policyContext.JSONContext().Query("request.oldObject")
 		if err != nil {
 			return nil, err
 		}
 		if ret == nil {
 			policyContext = policyContext.WithOldResource(unstructured.Unstructured{})
 		} else {
 			object, ok := ret.(map[string]interface{})
 			if !ok {
 				return nil, fmt.Errorf("the object retrieved from the json context is not valid")
 			}
 			policyContext = policyContext.WithOldResource(unstructured.Unstructured{Object: object})
 		}
 	}
 	return policyContext, nil
--- a/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/deny-modify-platform-label.yaml
@ -0,0 +1,30 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: deny-modify-platform-label
  annotations:
    policies.kyverno.io/title: Deny Modification of platform owned roles
    policies.kyverno.io/category: Hardening
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Role
    policies.kyverno.io/description: >-
      Restrict modification of platform owned roles to admins only
 spec:
  validationFailureAction: audit
  background: false
  rules:
    - name: deny-modify-platform-role
      match:
        any:
          - resources:
              kinds:
                - Role
      preconditions:
        any:
          - key: '{{ request.object.metadata.annotations."hpedevops.net/platform" || "" }}'
            operator: Equals
            value: 'true'
      validate:
        message: >-
            Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users.
        deny: {}
--- a/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/kyverno-test.yaml
@ -0,0 +1,25 @@
 name: deny-modify-platform-label-2
 policies:
 - deny-modify-platform-label.yaml
 resources:
 - resource.yaml
 variables: variables.yaml
 results:
 - kind: Role
  policy: deny-modify-platform-label
  resources:
  - my-role-with-platform
  result: fail
  rule: deny-modify-platform-role
 - kind: Role
  policy: deny-modify-platform-label
  resources:
  - my-role-without-platform
  result: skip
  rule: deny-modify-platform-role
 - kind: Role
  policy: deny-modify-platform-label
  resources:
  - my-role-with-platform-false
  result: skip
  rule: deny-modify-platform-role
--- a/test/cli/test/deny-modify-platform-label-2/resource.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/resource.yaml
@ -0,0 +1,35 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: my-role-with-platform
 rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: my-role-without-platform
 rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: my-role-with-platform-false
 rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - watch
--- a/test/cli/test/deny-modify-platform-label-2/variables.yaml
+++ b/test/cli/test/deny-modify-platform-label-2/variables.yaml
@ -0,0 +1,11 @@
 policies:
  - name: deny-modify-platform-label
    resources:
      - name: my-role-with-platform
        values:
          request.object.metadata.annotations."hpedevops.net/platform": 'true'
  - name: deny-modify-platform-label
    resources:
      - name: my-role-with-platform-false
        values:
          request.object.metadata.annotations."hpedevops.net/platform": 'false'
--- a/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/deny-modify-platform-label.yaml
@ -0,0 +1,27 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: deny-modify-platform-label
  annotations:
    policies.kyverno.io/title: Deny Modification of platform owned roles
    policies.kyverno.io/category: Hardening
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Role
    policies.kyverno.io/description: >-
      Restrict modification of platform owned roles to admins only
 spec:
  validationFailureAction: audit
  background: false
  rules:
    - name: deny-modify-platform-role
      match:
        any:
          - resources:
              kinds:
                - Role
              annotations:
                hpedevops.net/platform: 'true'
      validate:
        message: >-
            Roles owned by platform team (ones with label hpedevops.net/platform=true) should not be modified by non-admin users.
        deny: {}
--- a/test/cli/test/deny-modify-platform-label-3/kyverno-test.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/kyverno-test.yaml
@ -0,0 +1,13 @@
 name: deny-modify-platform-label-2
 policies:
 - deny-modify-platform-label.yaml
 resources:
 - resource.yaml
 variables: variables.yaml
 results:
 - kind: Role
  policy: deny-modify-platform-label
  resources:
  - my-role-with-platform
  result: fail
  rule: deny-modify-platform-role
--- a/test/cli/test/deny-modify-platform-label-3/resource.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/resource.yaml
@ -0,0 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: my-role-with-platform
 rules:
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - watch
--- a/test/cli/test/deny-modify-platform-label-3/variables.yaml
+++ b/test/cli/test/deny-modify-platform-label-3/variables.yaml
@ -0,0 +1,6 @@
 policies:
  - name: deny-modify-platform-label
    resources:
      - name: my-role-with-platform
        values:
          request.object.metadata.annotations."hpedevops.net/platform": 'true'