diff --git a/pkg/engine/utils/exceptions.go b/pkg/engine/utils/exceptions.go index c697faebe0..99659da0d4 100644 --- a/pkg/engine/utils/exceptions.go +++ b/pkg/engine/utils/exceptions.go @@ -37,7 +37,7 @@ func MatchesException(polexs []*kyvernov2beta1.PolicyException, policyContext en return nil } if !passed { - return nil + continue } } return polex diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/README.md b/test/conformance/chainsaw/exceptions/good-bad-conditions/README.md new file mode 100644 index 0000000000..c3bbe916b0 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/README.md @@ -0,0 +1,8 @@ +## Description + +This test creates a policy that only allows a maximum of 3 containers inside a pod. It then creates an exception with `conditions` field defined which tests out the functionality for the conditions support in `PolicyException`. Two `PolicyExceptions` are created one without matching conditions and one with to test the behavior of multiple exceptions with conditions. + + +## Expected Behavior + +The first `PolicyException` should fail the condition but the second `PolicyException` should pass it and the deployment should be created. diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/chainsaw-test.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/chainsaw-test.yaml new file mode 100755 index 0000000000..e76839645e --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/chainsaw-test.yaml @@ -0,0 +1,24 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: conditions +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - name: step-02 + try: + - apply: + file: failing-exception.yaml + - apply: + file: passing-exception.yaml + - finally: + - sleep: + duration: 5s + name: step-03 + try: + - apply: + file: good-deployment.yaml diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml new file mode 100644 index 0000000000..abcebda909 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/failing-exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: failing-container-exception +spec: + exceptions: + - policyName: max-containers + ruleNames: + - max-two-containers + - autogen-max-two-containers + match: + any: + - resources: + kinds: + - Pod + - Deployment + conditions: + any: + - key: "{{ request.object.metadata.labels.color || '' }}" + operator: Equals + value: red diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/good-deployment.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/good-deployment.yaml new file mode 100644 index 0000000000..c2b8a0204c --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/good-deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: my-app + color: blue +spec: + replicas: 3 + selector: + matchLabels: + app: my-app + template: + metadata: + labels: + app: my-app + color: blue + spec: + containers: + - name: nginx-container + image: nginx:latest + ports: + - containerPort: 80 + resources: + limits: + cpu: "1" + memory: "256Mi" + requests: + cpu: "0.5" + memory: "128Mi" + - name: redis-container + image: redis:latest + ports: + - containerPort: 6379 + resources: + limits: + cpu: "0.5" + memory: "512Mi" + requests: + cpu: "0.25" + memory: "256Mi" + - name: busybox-container + image: busybox:latest + command: ["/bin/sh", "-c", "while true; do echo 'Hello from BusyBox'; sleep 10; done"] + resources: + limits: + cpu: "0.5" + memory: "128Mi" + requests: + cpu: "0.25" + memory: "64Mi" diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml new file mode 100644 index 0000000000..8d3323cbaa --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/passing-exception.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v2beta1 +kind: PolicyException +metadata: + name: passing-container-exception +spec: + exceptions: + - policyName: max-containers + ruleNames: + - max-two-containers + - autogen-max-two-containers + match: + any: + - resources: + kinds: + - Pod + - Deployment + conditions: + any: + - key: "{{ request.object.metadata.labels.color || '' }}" + operator: Equals + value: blue diff --git a/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml new file mode 100644 index 0000000000..2e66ed1429 --- /dev/null +++ b/test/conformance/chainsaw/exceptions/good-bad-conditions/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: max-containers +spec: + validationFailureAction: Enforce + background: false + rules: + - name: max-two-containers + match: + any: + - resources: + kinds: + - Pod + validate: + message: "A maximum of 2 containers are allowed inside a Pod." + deny: + conditions: + any: + - key: "{{request.object.spec.containers[] | length(@)}}" + operator: GreaterThan + value: "2"