fix(polex): multiple polexes with conditions (#9994)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2024-05-06 13:28:39 +03:00 · 2024-05-06 13:28:39 +03:00 · 21602a1e1f
commit 21602a1e1f
parent 8805620574
7 changed files with 148 additions and 1 deletions
--- a/pkg/engine/utils/exceptions.go
+++ b/pkg/engine/utils/exceptions.go
@ -37,7 +37,7 @@ func MatchesException(polexs []*kyvernov2beta1.PolicyException, policyContext en
 					return nil
 				}
 				if !passed {
-					return nil
+					continue
 				}
 			}
 			return polex
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/README.md
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/README.md
@ -0,0 +1,8 @@
+## Description
+
+This test creates a policy that only allows a maximum of 3 containers inside a pod. It then creates an exception with `conditions` field defined which tests out the functionality for the conditions support in `PolicyException`. Two `PolicyExceptions` are created one without matching conditions and one with to test the behavior of multiple exceptions with conditions.
+
+
+## Expected Behavior
+
+The first `PolicyException` should fail the condition but the second `PolicyException` should pass it and the deployment should be created.
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/chainsaw-test.yaml
@ -0,0 +1,24 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: conditions
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: failing-exception.yaml
+    - apply:
+        file: passing-exception.yaml
+  - finally:
+    - sleep:
+        duration: 5s
+    name: step-03
+    try:
+    - apply:
+        file: good-deployment.yaml
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml
@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: failing-container-exception
+spec:
+  exceptions:
+  - policyName: max-containers
+    ruleNames:
+    - max-two-containers
+    - autogen-max-two-containers
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+  conditions:
+    any:
+    - key: "{{ request.object.metadata.labels.color || '' }}"
+      operator: Equals
+      value: red
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/good-deployment.yaml
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/good-deployment.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: good-deployment
+  labels:
+    app: my-app
+    color: blue
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+        color: blue
+    spec:
+      containers:
+        - name: nginx-container
+          image: nginx:latest
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              cpu: "1"
+              memory: "256Mi"
+            requests:
+              cpu: "0.5"
+              memory: "128Mi"
+        - name: redis-container
+          image: redis:latest
+          ports:
+            - containerPort: 6379
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "512Mi"
+            requests:
+              cpu: "0.25"
+              memory: "256Mi"
+        - name: busybox-container
+          image: busybox:latest
+          command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"]
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "128Mi"
+            requests:
+              cpu: "0.25"
+              memory: "64Mi"
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml
@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2beta1
+kind: PolicyException
+metadata:
+  name: passing-container-exception
+spec:
+  exceptions:
+  - policyName: max-containers
+    ruleNames:
+    - max-two-containers
+    - autogen-max-two-containers
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+  conditions:
+    any:
+    - key: "{{ request.object.metadata.labels.color || '' }}"
+      operator: Equals
+      value: blue
--- a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml
+++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml
@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: max-containers
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: max-two-containers
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "A maximum of 2 containers are allowed inside a Pod."
+      deny:
+        conditions:
+          any:
+          - key: "{{request.object.spec.containers[] | length(@)}}"
+            operator: GreaterThan
+            value: "2"