fix(policy chart): Skip DELETE requests on policies using deny statements (#7883)

Fixes #7456 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-28 10:28:36 +00:00 · 2023-07-24 10:29:35 -04:00 · 2023-07-24 10:29:35 -04:00 · 2273529a35
commit 2273529a35
parent 295e98aebe
4 changed files with 50 additions and 4 deletions
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@ -29,3 +29,5 @@ annotations:
      description: Support for customLabels, they were ignored up to now
    - kind: removed
      description: "Walk back change in PSS policy to send to to_upper"
+    - kind: fixed
+      description: Skip DELETE requests on policies using deny statements
--- a/charts/kyverno-policies/ci/test-preconditions-values.yaml
+++ b/charts/kyverno-policies/ci/test-preconditions-values.yaml
@ -12,8 +12,18 @@ policyPreconditions:
    - key: "{{ request.object.metadata.name }}"
      operator: NotEquals
      value: "dcgm-exporter*"
+  disallow-capabilities:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
  adding-capabilities-strict:
    all:
    - key: "{{ request.object.metadata.name }}"
      operator: NotEquals
      value: "dcgm-exporter*"
+  restrict-volume-types:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@ -43,9 +43,26 @@ spec:
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
      preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
      {{- end }}
      validate:
        message: >-
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@ -45,9 +45,26 @@ spec:
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
      preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
      {{- end }}
      validate:
        message: >-