set default value of "request.operation" to "CREATE" (#2688)

* set default value of "request.operation" equals to "CREATE" Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * handles the value of "request.operation" as "CREATE" in the CLI Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * fixed the failing e2e test case Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added logs Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added test case Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>
2025-03-29 02:45:06 +00:00 · 2021-11-18 20:39:35 +05:30 · 2021-11-18 20:39:35 +05:30 · 3e7c469d2e
commit 3e7c469d2e
parent 7f95bee23c
5 changed files with 122 additions and 0 deletions
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@ -372,6 +372,18 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
 		for _, p := range values.Policies {
 			resourceMap := make(map[string]Resource)
 			for _, r := range p.Resources {
+				if val, ok := r.Values["request.operation"]; ok {
+					if val == "" {
+						r.Values["request.operation"] = "CREATE"
+						log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name)
+					}
+				} else {
+					if r.Values == nil {
+						r.Values = make(map[string]string)
+					}
+					r.Values["request.operation"] = "CREATE"
+					log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name)
+				}
 				for variableInFile := range r.Values {
 					if strings.Contains(variableInFile, "request.object") {
 						if !strings.Contains(reqObjVars, variableInFile) {
--- a/test/cli/test/simple/policy.yaml
+++ b/test/cli/test/simple/policy.yaml
@ -93,3 +93,46 @@ spec:
        - key: "{{ request.object.metadata.annotations.\"pod.kubernetes.io/lifetime\" }}"
          operator: LessThanOrEquals
          value: "8h"
+
+
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-pod-counts
+  annotations:
+    policies.kyverno.io/title: Restrict Pod Count per Node
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.3.2
+    policies.kyverno.io/description: >-
+      Sometimes Kubernetes Nodes may have a maximum number of Pods they can accommodate due to
+      resources outside CPU and memory such as licensing, or in some
+      development cases. This policy restricts Pod count on a Node named `minikube` to be no more than 10.
+    # pod-policies.kyverno.io/autogen-controllers: None
+spec:
+  validationFailureAction: audit
+  background: false
+  rules:
+    - name: restrict-pod-count
+      match:
+        resources:
+          kinds:
+            - Pod
+      context:
+        - name: podcounts
+          apiCall:
+            urlPath: "/api/v1/pods"
+            jmesPath: "items[?spec.nodeName=='minikube'] | length(@)"
+      preconditions:
+        - key: "{{ request.operation }}"
+          operator: Equals
+          value: "CREATE"
+      validate:
+        message: "A maximum of 10 Pods are allowed on the Node `minikube`"
+        deny:
+          conditions:
+            - key: "{{ podcounts }}"
+              operator: GreaterThan
+              value: 10
--- a/test/cli/test/simple/resources.yaml
+++ b/test/cli/test/simple/resources.yaml
@ -69,3 +69,16 @@ spec:
  containers:
  - name: nginx
    image: nginx:1.12
+
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: myapp
+  name: myapp-pod
+spec:
+  containers:
+  - image: nginx
+    name: myapp-pod
--- a/test/cli/test/simple/test.yaml
+++ b/test/cli/test/simple/test.yaml
@ -3,6 +3,7 @@ policies:
  - policy.yaml
 resources:
  - resources.yaml
+variables: values.yaml
 results:
  - policy: disallow-latest-tag
    rule: require-image-tag
@ -49,3 +50,34 @@ results:
    resource: test-lifetime-fail
    kind: Pod
    status: pass
+
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: myapp-pod
+    kind: Pod
+    status: fail
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: test-require-image-tag-pass
+    kind: Pod
+    status: fail
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: test-require-image-tag-fail
+    kind: Pod
+    status: fail
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: test-validate-image-tag-ignore
+    kind: Pod
+    status: fail
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: test-validate-image-tag-fail
+    kind: Pod
+    status: fail    
+  - policy: restrict-pod-counts
+    rule: restrict-pod-count
+    resource: test-validate-image-tag-pass
+    kind: Pod
+    status: fail
--- a/test/cli/test/simple/values.yaml
+++ b/test/cli/test/simple/values.yaml
@ -0,0 +1,22 @@
+policies:
+- name: restrict-pod-counts
+  rules:
+    - name: restrict-pod-count
+      values:
+        podcounts: "40"
+  resources:
+  # operation is provided by user
+  - name: myapp-pod
+    values:
+      request.operation: CREATE
+  # operation is not provided by user
+  - name: test-require-image-tag-pass
+    values:
+  # operation is empty
+  - name: test-require-image-tag-fail
+    values:
+      request.operation: ""
+  # No operation provided
+  - name: test-validate-image-tag-ignore
+  - name: test-validate-image-tag-fail
+  - name: test-validate-image-tag-pass