fix regex for allowed variable to support spaces (#1200)

* fix regex for allowed variable to support spaces * remove log * fix regex
2025-04-17 17:56:33 +00:00 · 2020-10-19 12:36:55 -07:00 · 2020-10-19 12:36:55 -07:00 · 1f24ea6f75
commit 1f24ea6f75
parent e9d12dbfff
3 changed files with 20 additions and 16 deletions
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@ -7,13 +7,10 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/util/yaml"
+	"os"
+	"path/filepath"
 	yaml_v2 "sigs.k8s.io/yaml"

 	jsonpatch "github.com/evanphx/json-patch"
@ -91,29 +88,28 @@ func GetPoliciesValidation(policyPaths []string) ([]*v1.ClusterPolicy, error) {
 // PolicyHasVariables - check for variables in the policy
 func PolicyHasVariables(policy v1.ClusterPolicy) bool {
 	policyRaw, _ := json.Marshal(policy)
-	regex := regexp.MustCompile(`\{\{[^{}]*\}\}`)
-	return len(regex.FindAllStringSubmatch(string(policyRaw), -1)) > 0
+	matches := REGEX_VARIABLES.FindAllStringSubmatch(string(policyRaw), -1)
+	return len(matches) > 0
 }

-// PolicyHasNonAllowedVariables - checks for non whitelisted variables in the policy
+// PolicyHasNonAllowedVariables - checks for unexpected variables in the policy
 func PolicyHasNonAllowedVariables(policy v1.ClusterPolicy) bool {
 	policyRaw, _ := json.Marshal(policy)

-	allVarsRegex := regexp.MustCompile(`\{\{[^{}]*\}\}`)
+	matchesAll := REGEX_VARIABLES.FindAllStringSubmatch(string(policyRaw), -1)
+	matchesAllowed := ALLOWED_VARIABLES.FindAllStringSubmatch(string(policyRaw), -1)

-	allowedList := []string{`request\.`, `serviceAccountName`, `serviceAccountNamespace`}
-	regexStr := `\{\{(` + strings.Join(allowedList, "|") + `)[^{}]*\}\}`
-	matchedVarsRegex := regexp.MustCompile(regexStr)
-
-	if len(allVarsRegex.FindAllStringSubmatch(string(policyRaw), -1)) > len(matchedVarsRegex.FindAllStringSubmatch(string(policyRaw), -1)) {
+	if len(matchesAll) > len(matchesAllowed) {
 		// If rules contains Context then skip this validation
 		for _, rule := range policy.Spec.Rules {
 			if len(rule.Context) > 0 {
 				return false
 			}
 		}
+
 		return true
 	}
+
 	return false
 }

--- a/pkg/kyverno/common/regex.go
+++ b/pkg/kyverno/common/regex.go
@ -0,0 +1,8 @@
+package common
+
+import (
+	"regexp"
+)
+
+var REGEX_VARIABLES = regexp.MustCompile(`\{\{[^{}]*\}\}`)
+var ALLOWED_VARIABLES = regexp.MustCompile(`\{\{\s*[request\.|serviceAccountName|serviceAccountNamespace][^{}]*\}\}`)
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -36,7 +36,7 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
 	}

 	if common.PolicyHasVariables(p) && common.PolicyHasNonAllowedVariables(p) {
-		return fmt.Errorf("policy contains reserved variables (serviceAccountName, serviceAccountNamespace)")
+		return fmt.Errorf("policy contains unknown variables")
 	}

 	if path, err := validateUniqueRuleName(p); err != nil {
@ -458,7 +458,7 @@ func validateRuleContext(rule kyverno.Rule) (error) {
 		if entry.Name == ""{
 			return fmt.Errorf("a name is required for context entries")
 		}
-		
+
 		if entry.ConfigMap != nil {
 			if entry.ConfigMap.Name == "" {
 				return fmt.Errorf("a name is required for configMap context entry")