fix: add clone check before validating namespace policy (#5459)

fix: add clone check before validate clone namespace - fix data policy validation - add kuttl tests to validate the behaviour Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
2025-03-29 02:45:06 +00:00 · 2022-11-25 12:49:22 +05:30 · 2022-11-25 12:49:22 +05:30 · 42221a93e4
commit 42221a93e4
parent 925f0cf182
9 changed files with 117 additions and 4 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -1097,8 +1097,10 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources
 							if rule.Generation.Namespace != policyNamespace {
 								return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace)
 							}
-							if rule.Generation.Clone.Namespace != policyNamespace {
-								return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resource in other namespace, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace)
+							if rule.Generation.Clone.Name != "" {
+								if rule.Generation.Clone.Namespace != policyNamespace {
+									return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resources to or from other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace)
+								}
 							}
 						} else {
 							if rule.Generation.Namespace != "" {
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -1184,7 +1184,7 @@ func Test_Namespaced_Generate_Policy(t *testing.T) {
            }
        }`),
 			policyNamespace: "poltest",
-			expectedError:   errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resource in other namespace, expected: poltest, received: default"),
+			expectedError:   errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resources to or from other namespaces, expected: poltest, received: default"),
 		},
 		{
 			description: "Do not mention the namespace to generate cluster scoped resource",
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml
@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy.yaml
+    then 
+      echo "Tested failed. Policy was created when it shouldn't have been."
+      exit 1 
+    else 
+      echo "Test succeeded. Policy was not created as intended."
+      exit 0
+    fi
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md
@ -0,0 +1,13 @@
+## Description
+
+This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace generate a resource, is blocked from creation.
+
+This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness.
+
+## Expected Behavior
+
+"bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails.
+
+## Reference Issue(s)
+
+5099
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml
@ -0,0 +1,27 @@
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-data-sync
+  namespace: poltest
+spec:
+  rules:
+  - name: gen-zk
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: test
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml
@ -0,0 +1,13 @@
+## Checks that the manifests.yaml file CAN be successfully created. If it can not, fail the test as this is incorrect.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+- script: |
+    if kubectl apply -f policy.yaml
+    then
+      echo "Test succeeded. Policy was created as intended."
+      exit 0 
+    else 
+      echo "Tested failed. Policy was not created when it should have been."
+      exit 1
+    fi
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md
@ -0,0 +1,13 @@
+## Description
+
+This test performs a check to ensure that a "good" Policy, one in which a user may attempt to in-Namespace generate a resource, is allowed to be created.
+
+This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness.
+
+## Expected Behavior
+
+"good" (valid) Policy should be successfully created. If the creations is blocked, the test failed. If any creation is allowed, the test succeeds.
+
+## Reference Issue(s)
+
+5099
--- a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml
+++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml
@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: poltest
+---
+apiVersion: kyverno.io/v2beta1
+kind: Policy
+metadata:
+  name: pol-data-sync
+  namespace: poltest
+spec:
+  rules:
+  - name: gen-zk
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+    generate:
+      synchronize: true
+      apiVersion: v1
+      kind: ConfigMap
+      name: zk-kafka-address
+      namespace: poltest
+      data:
+        kind: ConfigMap
+        metadata:
+          labels:
+            somekey: somevalue
+        data:
+          ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
+          KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"
--- a/test/conformance/kuttl/kuttl-test.yaml
+++ b/test/conformance/kuttl/kuttl-test.yaml
@ -10,7 +10,7 @@ testDirs:
 - ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
 - ./test/conformance/kuttl/generate/policy/standard/clone/nosync
 - ./test/conformance/kuttl/generate/policy/standard/clone/sync
-# - ./test/conformance/kuttl/generate/policy/standard/data/sync
+- ./test/conformance/kuttl/generate/policy/standard/data/sync
 # - ./test/conformance/kuttl/generate/policy/standard/data/nosync
 - ./test/conformance/kuttl/generate/clusterpolicy/cornercases
 # Mutate tests