From 3e7c469d2ea8d549284a88281c430192ee2b2760 Mon Sep 17 00:00:00 2001 From: vivek kumar sahu Date: Thu, 18 Nov 2021 20:39:35 +0530 Subject: [PATCH] set default value of "request.operation" to "CREATE" (#2688) * set default value of "request.operation" equals to "CREATE" Signed-off-by: viveksahu26 * handles the value of "request.operation" as "CREATE" in the CLI Signed-off-by: viveksahu26 * fixed the failing e2e test case Signed-off-by: viveksahu26 * Added logs Signed-off-by: viveksahu26 * Added test case Signed-off-by: viveksahu26 --- pkg/kyverno/common/common.go | 12 ++++++++ test/cli/test/simple/policy.yaml | 43 +++++++++++++++++++++++++++++ test/cli/test/simple/resources.yaml | 13 +++++++++ test/cli/test/simple/test.yaml | 32 +++++++++++++++++++++ test/cli/test/simple/values.yaml | 22 +++++++++++++++ 5 files changed, 122 insertions(+) create mode 100644 test/cli/test/simple/values.yaml diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go index b2babd3f5b..61c9905905 100644 --- a/pkg/kyverno/common/common.go +++ b/pkg/kyverno/common/common.go @@ -372,6 +372,18 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit for _, p := range values.Policies { resourceMap := make(map[string]Resource) for _, r := range p.Resources { + if val, ok := r.Values["request.operation"]; ok { + if val == "" { + r.Values["request.operation"] = "CREATE" + log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name) + } + } else { + if r.Values == nil { + r.Values = make(map[string]string) + } + r.Values["request.operation"] = "CREATE" + log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name) + } for variableInFile := range r.Values { if strings.Contains(variableInFile, "request.object") { if !strings.Contains(reqObjVars, variableInFile) { diff --git a/test/cli/test/simple/policy.yaml b/test/cli/test/simple/policy.yaml index b14c458f65..07e38db7ef 100644 --- a/test/cli/test/simple/policy.yaml +++ b/test/cli/test/simple/policy.yaml @@ -93,3 +93,46 @@ spec: - key: "{{ request.object.metadata.annotations.\"pod.kubernetes.io/lifetime\" }}" operator: LessThanOrEquals value: "8h" + + +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-pod-counts + annotations: + policies.kyverno.io/title: Restrict Pod Count per Node + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/minversion: 1.3.2 + policies.kyverno.io/description: >- + Sometimes Kubernetes Nodes may have a maximum number of Pods they can accommodate due to + resources outside CPU and memory such as licensing, or in some + development cases. This policy restricts Pod count on a Node named `minikube` to be no more than 10. + # pod-policies.kyverno.io/autogen-controllers: None +spec: + validationFailureAction: audit + background: false + rules: + - name: restrict-pod-count + match: + resources: + kinds: + - Pod + context: + - name: podcounts + apiCall: + urlPath: "/api/v1/pods" + jmesPath: "items[?spec.nodeName=='minikube'] | length(@)" + preconditions: + - key: "{{ request.operation }}" + operator: Equals + value: "CREATE" + validate: + message: "A maximum of 10 Pods are allowed on the Node `minikube`" + deny: + conditions: + - key: "{{ podcounts }}" + operator: GreaterThan + value: 10 \ No newline at end of file diff --git a/test/cli/test/simple/resources.yaml b/test/cli/test/simple/resources.yaml index 6139f12ffe..797a35a025 100644 --- a/test/cli/test/simple/resources.yaml +++ b/test/cli/test/simple/resources.yaml @@ -69,3 +69,16 @@ spec: containers: - name: nginx image: nginx:1.12 + + +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + app: myapp + name: myapp-pod +spec: + containers: + - image: nginx + name: myapp-pod diff --git a/test/cli/test/simple/test.yaml b/test/cli/test/simple/test.yaml index 9e7c09dbd7..43be2de992 100644 --- a/test/cli/test/simple/test.yaml +++ b/test/cli/test/simple/test.yaml @@ -3,6 +3,7 @@ policies: - policy.yaml resources: - resources.yaml +variables: values.yaml results: - policy: disallow-latest-tag rule: require-image-tag @@ -49,3 +50,34 @@ results: resource: test-lifetime-fail kind: Pod status: pass + + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: myapp-pod + kind: Pod + status: fail + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: test-require-image-tag-pass + kind: Pod + status: fail + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: test-require-image-tag-fail + kind: Pod + status: fail + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: test-validate-image-tag-ignore + kind: Pod + status: fail + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: test-validate-image-tag-fail + kind: Pod + status: fail + - policy: restrict-pod-counts + rule: restrict-pod-count + resource: test-validate-image-tag-pass + kind: Pod + status: fail \ No newline at end of file diff --git a/test/cli/test/simple/values.yaml b/test/cli/test/simple/values.yaml new file mode 100644 index 0000000000..cad710a469 --- /dev/null +++ b/test/cli/test/simple/values.yaml @@ -0,0 +1,22 @@ +policies: +- name: restrict-pod-counts + rules: + - name: restrict-pod-count + values: + podcounts: "40" + resources: + # operation is provided by user + - name: myapp-pod + values: + request.operation: CREATE + # operation is not provided by user + - name: test-require-image-tag-pass + values: + # operation is empty + - name: test-require-image-tag-fail + values: + request.operation: "" + # No operation provided + - name: test-validate-image-tag-ignore + - name: test-validate-image-tag-fail + - name: test-validate-image-tag-pass