644 circle ci changes

2024-12-14 11:57:48 +00:00 · 2020-02-09 19:56:38 +05:30 · 2020-02-09 19:56:38 +05:30 · 2d137c856c
commit 2d137c856c
parent 17da6217e0
2 changed files with 28 additions and 7 deletions
--- a/pkg/engine/utils_test.go
+++ b/pkg/engine/utils_test.go
@ -22,7 +22,7 @@ func TestMatchesResourceDescription(t *testing.T) {
 		areErrorsExpected bool
 	}{
 		{
-			Description: "",
+			Description: "Should match pod and not exclude it",
 			AdmissionInfo: kyverno.RequestInfo{
 				ClusterRoles: []string{"admin"},
 			},
@ -31,7 +31,7 @@ func TestMatchesResourceDescription(t *testing.T) {
 			areErrorsExpected: false,
 		},
 		{
-			Description: "",
+			Description: "Should exclude resource since it matches the exclude block",
 			AdmissionInfo: kyverno.RequestInfo{
 				ClusterRoles: []string{"system:node"},
 			},
@ -40,16 +40,37 @@ func TestMatchesResourceDescription(t *testing.T) {
 			areErrorsExpected: true,
 		},
 		{
-			Description:       "",
+			Description:       "Should not fail if in sync mode, if admission info is empty it should still match resources with specific clusterroles",
 			Resource:          []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
 			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
 			areErrorsExpected: false,
 		},
+		{
+			Description: "Should fail since resource does not match policy",
+			AdmissionInfo: kyverno.RequestInfo{
+				ClusterRoles: []string{"admin"},
+			},
+			Resource:          []byte(`{"apiVersion":"v1","kind":"Service","metadata":{"name":"hello-world","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
+			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
+			areErrorsExpected: true,
+		},
+		{
+			Description: "Should not fail since resource does not match exclude block",
+			AdmissionInfo: kyverno.RequestInfo{
+				ClusterRoles: []string{"system:node"},
+			},
+			Resource:          []byte(`{"apiVersion":"v1","kind":"Pod","metadata":{"name":"hello-world2","labels":{"name":"hello-world"}},"spec":{"containers":[{"name":"hello-world","image":"hello-world","ports":[{"containerPort":81}],"resources":{"limits":{"memory":"30Mi","cpu":"0.2"},"requests":{"memory":"20Mi","cpu":"0.1"}}}]}}`),
+			Policy:            []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"hello-world-policy"},"spec":{"background":false,"rules":[{"name":"hello-world-policy","match":{"resources":{"kinds":["Pod"]}},"exclude":{"resources":{"name":"hello-world"},"clusterroles":["system:node"]},"mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}]}}`),
+			areErrorsExpected: false,
+		},
 	}

 	for i, tc := range tcs {
 		var policy kyverno.Policy
-		json.Unmarshal(tc.Policy, &policy)
+		err := json.Unmarshal(tc.Policy, &policy)
+		if err != nil {
+			t.Errorf("Testcase %d invalid policy raw", i+1)
+		}
 		resource, _ := utils.ConvertToUnstructured(tc.Resource)

 		for _, rule := range policy.Spec.Rules {
--- a/pkg/userinfo/roleRef.go
+++ b/pkg/userinfo/roleRef.go
@ -90,10 +90,10 @@ func matchSubjectsMap(subject rbacv1.Subject, userInfo authenticationv1.UserInfo
 	// ServiceAccount
 	if strings.Contains(userInfo.Username, SaPrefix) {
 		return matchServiceAccount(subject, userInfo)
+	} else {
+		// User or Group
+		return matchUserOrGroup(subject, userInfo)
 	}
-
-	// User or Group
-	return matchUserOrGroup(subject, userInfo)
 }

 // matchServiceAccount checks if userInfo sa matche the subject sa