mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
658 prototype with testcases
This commit is contained in:
parent
a8ab5df65c
commit
39ac8391c6
2 changed files with 100 additions and 0 deletions
|
@ -69,11 +69,53 @@ func Validate(p kyverno.ClusterPolicy) error {
|
|||
return fmt.Errorf("path: spec.rules[%d].generate.%s.: %v", i, path, err)
|
||||
}
|
||||
}
|
||||
|
||||
// If a rules match block does not match any kind,
|
||||
// we should only allow such rules to have metadata in its overlay
|
||||
if len(rule.MatchResources.Kinds) == 0 {
|
||||
if !ruleOnlyDealsWithResourceMetaData(rule) {
|
||||
return fmt.Errorf("policy can only deal with the metadata field of the resource if" +
|
||||
" the rule does not match an kind")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func ruleOnlyDealsWithResourceMetaData(rule kyverno.Rule) bool {
|
||||
overlayMap, _ := rule.Mutation.Overlay.(map[string]interface{})
|
||||
for k := range overlayMap {
|
||||
if k != "metadata" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
for _, patch := range rule.Mutation.Patches {
|
||||
if !strings.HasPrefix(patch.Path, "/metadata") {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
patternMap, _ := rule.Validation.Pattern.(map[string]interface{})
|
||||
for k := range patternMap {
|
||||
if k != "metadata" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
for _, pattern := range rule.Validation.AnyPattern {
|
||||
patternMap, _ := pattern.(map[string]interface{})
|
||||
for k := range patternMap {
|
||||
if k != "metadata" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
func validateResources(rule kyverno.Rule) (string, error) {
|
||||
// validate userInfo in match and exclude
|
||||
if path, err := validateUserInfo(rule); err != nil {
|
||||
|
|
|
@ -1483,3 +1483,61 @@ func Test_BackGroundUserInfo_validate_anyPattern_serviceAccount(t *testing.T) {
|
|||
t.Error("Incorrect Path")
|
||||
}
|
||||
}
|
||||
|
||||
func Test_ruleOnlyDealsWithResourceMetaData(t *testing.T) {
|
||||
testcases := []struct {
|
||||
description string
|
||||
rule []byte
|
||||
expectedOutput bool
|
||||
}{
|
||||
{
|
||||
description: "Test mutate overlay - pass",
|
||||
rule: []byte(`{"name":"test","mutate":{"overlay":{"metadata":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`),
|
||||
expectedOutput: true,
|
||||
},
|
||||
{
|
||||
description: "Test mutate overlay - fail",
|
||||
rule: []byte(`{"name":"test","mutate":{"overlay":{"spec":{"containers":[{"(image)":"*","imagePullPolicy":"IfNotPresent"}]}}}}`),
|
||||
expectedOutput: false,
|
||||
},
|
||||
{
|
||||
description: "Test mutate patch - pass",
|
||||
rule: []byte(`{"name":"testPatches","mutate":{"patches":[{"path":"/metadata/labels/isMutated","op":"add","value":"true"},{"path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]}}`),
|
||||
expectedOutput: true,
|
||||
},
|
||||
{
|
||||
description: "Test mutate patch - fail",
|
||||
rule: []byte(`{"name":"testPatches","mutate":{"patches":[{"path":"/spec/labels/isMutated","op":"add","value":"true"},{"path":"/metadata/labels/app","op":"replace","value":"nginx_is_mutated"}]}}`),
|
||||
expectedOutput: false,
|
||||
},
|
||||
{
|
||||
description: "Test validate - pass",
|
||||
rule: []byte(`{"name":"testValidate","validate":{"message":"CPU and memory resource requests and limits are required","pattern":{"metadata":{"containers":[{"(name)":"*","ports":[{"containerPort":80}]}]}}}}`),
|
||||
expectedOutput: true,
|
||||
},
|
||||
{
|
||||
description: "Test validate - fail",
|
||||
rule: []byte(`{"name":"testValidate","validate":{"message":"CPU and memory resource requests and limits are required","pattern":{"spec":{"containers":[{"(name)":"*","ports":[{"containerPort":80}]}]}}}}`),
|
||||
expectedOutput: false,
|
||||
},
|
||||
{
|
||||
description: "Test validate any pattern - pass",
|
||||
rule: []byte(`{"name":"testValidateAnyPattern","validate":{"message":"Volumes white list","anyPattern":[{"metadata":{"volumes":[{"hostPath":"*"}]}},{"metadata":{"volumes":[{"emptyDir":"*"}]}},{"metadata":{"volumes":[{"configMap":"*"}]}}]}}`),
|
||||
expectedOutput: true,
|
||||
},
|
||||
{
|
||||
description: "Test validate any pattern - fail",
|
||||
rule: []byte(`{"name":"testValidateAnyPattern","validate":{"message":"Volumes white list","anyPattern":[{"spec":{"volumes":[{"hostPath":"*"}]}},{"metadata":{"volumes":[{"emptyDir":"*"}]}},{"metadata":{"volumes":[{"configMap":"*"}]}}]}}`),
|
||||
expectedOutput: false,
|
||||
},
|
||||
}
|
||||
|
||||
for i, testcase := range testcases {
|
||||
var rule kyverno.Rule
|
||||
_ = json.Unmarshal(testcase.rule, &rule)
|
||||
output := ruleOnlyDealsWithResourceMetaData(rule)
|
||||
if output != testcase.expectedOutput {
|
||||
t.Errorf("Testcase [%d] failed", i+1)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue