1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

feat: add auto-gen rules for CEL (#7859)

* feat: add auto-gen rules for CEL

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* clean up

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-07-21 12:19:47 +03:00 committed by GitHub
parent ea631bdf81
commit 35e368730b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 119 additions and 0 deletions

View file

@ -204,6 +204,15 @@ func convertRule(rule kyvernoRule, kind string) (*kyvernov1.Rule, error) {
return nil, err
}
}
// CEL variables are object, oldObject, request, params and authorizer.
// Therefore CEL expressions can be either written as object.spec or request.object.spec
if rule.Validation != nil && rule.Validation.CEL != nil {
bytes = updateCELFields(bytes, kind)
if err := json.Unmarshal(bytes, &rule); err != nil {
return nil, err
}
}
}
out := kyvernov1.Rule{

View file

@ -350,6 +350,47 @@ func TestUpdateGenRuleByte(t *testing.T) {
}
}
func TestUpdateCELFields(t *testing.T) {
tests := []struct {
pbyte []byte
kind string
want []byte
wantErr bool
}{
{
pbyte: []byte("object.spec"),
kind: "Pod",
want: []byte("object.spec.template.spec"),
},
{
pbyte: []byte("oldObject.spec"),
kind: "Pod",
want: []byte("oldObject.spec.template.spec"),
},
{
pbyte: []byte("object.spec"),
kind: "Cronjob",
want: []byte("object.spec.jobTemplate.spec.template.spec"),
},
{
pbyte: []byte("oldObject.spec"),
kind: "Cronjob",
want: []byte("oldObject.spec.jobTemplate.spec.template.spec"),
},
{
pbyte: []byte("object.metadata"),
kind: "Pod",
want: []byte("object.spec.template.metadata"),
},
}
for _, tt := range tests {
got := updateCELFields(tt.pbyte, tt.kind)
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("updateCELFields() = %v, want %v", string(got), string(tt.want))
}
}
}
func Test_ComputeRules(t *testing.T) {
intPtr := func(i int) *int { return &i }
testCases := []struct {
@ -546,3 +587,51 @@ func Test_PodSecurityWithNoExceptions(t *testing.T) {
rules := computeRules(policies[0])
assert.Equal(t, 3, len(rules))
}
func Test_ValidateWithCELExpressions(t *testing.T) {
policy := []byte(`
{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "disallow-host-path"
},
"spec": {
"validationFailureAction": "Enforce",
"background": false,
"rules": [
{
"name": "host-path",
"match": {
"any": [
{
"resources": {
"kinds": [
"Pod"
]
}
}
]
},
"validate": {
"cel": {
"expressions": [
{
"expression": "!has(object.spec.volumes) || object.spec.volumes.all(volume, !has(volume.hostPath))",
"message": "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
}
]
}
}
}
]
}
}
`)
policies, _, err := yamlutils.GetPolicy([]byte(policy))
assert.NilError(t, err)
assert.Equal(t, 1, len(policies))
rules := computeRules(policies[0])
assert.Equal(t, 3, len(rules))
}

View file

@ -200,6 +200,11 @@ func generateRule(name string, rule *kyvernov1.Rule, tplKey, shift string, kinds
rule.VerifyImages = newVerifyImages
return rule
}
if rule.HasValidateCEL() {
cel := rule.Validation.CEL.DeepCopy()
rule.Validation.CEL = cel
return rule
}
return nil
}
@ -326,3 +331,19 @@ func updateRestrictedFields(pbyte []byte, kind string) (obj []byte) {
obj = []byte(strings.ReplaceAll(string(obj), "metadata", "spec.template.metadata"))
return obj
}
func updateCELFields(pbyte []byte, kind string) (obj []byte) {
if kind == "Pod" {
obj = []byte(strings.ReplaceAll(string(pbyte), "object.spec", "object.spec.template.spec"))
obj = []byte(strings.ReplaceAll(string(obj), "oldObject.spec", "oldObject.spec.template.spec"))
obj = []byte(strings.ReplaceAll(string(obj), "object.metadata", "object.spec.template.metadata"))
obj = []byte(strings.ReplaceAll(string(obj), "oldObject.metadata", "oldObject.spec.template.metadata"))
}
if kind == "Cronjob" {
obj = []byte(strings.ReplaceAll(string(pbyte), "object.spec", "object.spec.jobTemplate.spec.template.spec"))
obj = []byte(strings.ReplaceAll(string(obj), "oldObject.spec", "oldObject.spec.jobTemplate.spec.template.spec"))
obj = []byte(strings.ReplaceAll(string(obj), "object.metadata", "object.spec.jobTemplate.spec.template.metadata"))
obj = []byte(strings.ReplaceAll(string(obj), "oldObject.metadata", "oldObject.spec.jobTemplate.spec.template.metadata"))
}
return obj
}