From 373f421b07059dd8ab50f4944f1445163a6b9f94 Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Thu, 3 Feb 2022 20:16:58 +0530 Subject: [PATCH] Fix panic for provides a set to the key of a precondition and deny condition (#3162) --- pkg/policy/validate.go | 10 ++++++++ .../multiple_condition_keys/kyverno-test.yaml | 17 ++++++++++++++ .../test/multiple_condition_keys/policy.yaml | 23 +++++++++++++++++++ .../multiple_condition_keys/resources.yaml | 22 ++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 test/cli/test/multiple_condition_keys/kyverno-test.yaml create mode 100644 test/cli/test/multiple_condition_keys/policy.yaml create mode 100644 test/cli/test/multiple_condition_keys/resources.yaml diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 56cb6b9654..80357d9dbe 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1004,6 +1004,16 @@ func validateConditionValues(c kyverno.Condition) (string, error) { if c.Key == nil || c.Value == nil || c.Operator == "" { return "", fmt.Errorf("entered value of `key`, `value` or `operator` is missing or misspelled") } + switch reflect.TypeOf(c.Key).Kind() { + case reflect.String: + value, err := validateValuesKeyRequest(c) + return value, err + default: + return "", nil + } +} + +func validateValuesKeyRequest(c kyverno.Condition) (string, error) { switch strings.ReplaceAll(c.Key.(string), " ", "") { case "{{request.operation}}": return validateConditionValuesKeyRequestOperation(c) diff --git a/test/cli/test/multiple_condition_keys/kyverno-test.yaml b/test/cli/test/multiple_condition_keys/kyverno-test.yaml new file mode 100644 index 0000000000..2d6b63eb85 --- /dev/null +++ b/test/cli/test/multiple_condition_keys/kyverno-test.yaml @@ -0,0 +1,17 @@ +name: test-simple +policies: + - policy.yaml +resources: + - resources.yaml +results: + - policy: test-multiple-key + rule: test-multiple-key + resource: test-resource-pass + kind: Pod + status: pass + - policy: test-multiple-key + rule: test-multiple-key + resource: test-resource-fail + kind: Pod + status: fail + \ No newline at end of file diff --git a/test/cli/test/multiple_condition_keys/policy.yaml b/test/cli/test/multiple_condition_keys/policy.yaml new file mode 100644 index 0000000000..7ffb4c3319 --- /dev/null +++ b/test/cli/test/multiple_condition_keys/policy.yaml @@ -0,0 +1,23 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-multiple-key +spec: + validationFailureAction: enforce + background: false + rules: + - name: test-multiple-key + match: + resources: + kinds: + - Pod + validate: + deny: + conditions: + any: + - key: + - "{{request.object.metadata.labels.app}}" + operator: NotIn + value: + - "busybox" + - "busybox1" \ No newline at end of file diff --git a/test/cli/test/multiple_condition_keys/resources.yaml b/test/cli/test/multiple_condition_keys/resources.yaml new file mode 100644 index 0000000000..4c1e2dc980 --- /dev/null +++ b/test/cli/test/multiple_condition_keys/resources.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: test-resource-pass + labels: + app: busybox +spec: + containers: + - name: nginx + image: nginx:latest + +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-resource-fail + labels: + app: busybox-fail +spec: + containers: + - name: nginx + image: nginx:latest \ No newline at end of file