From 42221a93e4d9e06ab175cd9f451eaf3535a6f623 Mon Sep 17 00:00:00 2001 From: Prateek Pandey Date: Fri, 25 Nov 2022 12:49:22 +0530 Subject: [PATCH] fix: add clone check before validating namespace policy (#5459) fix: add clone check before validate clone namespace - fix data policy validation - add kuttl tests to validate the behaviour Signed-off-by: prateekpandey14 --- pkg/policy/validate.go | 6 ++-- pkg/policy/validate_test.go | 2 +- .../01-script-try-create.yaml | 13 ++++++++ .../data/sync/pol-data-sync-invalid/README.md | 13 ++++++++ .../sync/pol-data-sync-invalid/policy.yaml | 27 ++++++++++++++++ .../01-script-try-create.yaml | 13 ++++++++ .../data/sync/pol-data-sync-valid/README.md | 13 ++++++++ .../data/sync/pol-data-sync-valid/policy.yaml | 32 +++++++++++++++++++ test/conformance/kuttl/kuttl-test.yaml | 2 +- 9 files changed, 117 insertions(+), 4 deletions(-) create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md create mode 100644 test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 5fb8d26b48..a68c4ffe81 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -1097,8 +1097,10 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources if rule.Generation.Namespace != policyNamespace { return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace) } - if rule.Generation.Clone.Namespace != policyNamespace { - return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resource in other namespace, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace) + if rule.Generation.Clone.Name != "" { + if rule.Generation.Clone.Namespace != policyNamespace { + return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resources to or from other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace) + } } } else { if rule.Generation.Namespace != "" { diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index d94797acce..003e46cba6 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -1184,7 +1184,7 @@ func Test_Namespaced_Generate_Policy(t *testing.T) { } }`), policyNamespace: "poltest", - expectedError: errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resource in other namespace, expected: poltest, received: default"), + expectedError: errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resources to or from other namespaces, expected: poltest, received: default"), }, { description: "Do not mention the namespace to generate cluster scoped resource", diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml new file mode 100644 index 0000000000..4780f4f7cf --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml @@ -0,0 +1,13 @@ +## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f policy.yaml + then + echo "Tested failed. Policy was created when it shouldn't have been." + exit 1 + else + echo "Test succeeded. Policy was not created as intended." + exit 0 + fi diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md new file mode 100644 index 0000000000..cd81d6e893 --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md @@ -0,0 +1,13 @@ +## Description + +This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace generate a resource, is blocked from creation. + +This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness. + +## Expected Behavior + +"bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml new file mode 100644 index 0000000000..8848eec422 --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-sync + namespace: poltest +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: test + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml new file mode 100644 index 0000000000..96e6a98aff --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml @@ -0,0 +1,13 @@ +## Checks that the manifests.yaml file CAN be successfully created. If it can not, fail the test as this is incorrect. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: +- script: | + if kubectl apply -f policy.yaml + then + echo "Test succeeded. Policy was created as intended." + exit 0 + else + echo "Tested failed. Policy was not created when it should have been." + exit 1 + fi diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md new file mode 100644 index 0000000000..231be8b064 --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md @@ -0,0 +1,13 @@ +## Description + +This test performs a check to ensure that a "good" Policy, one in which a user may attempt to in-Namespace generate a resource, is allowed to be created. + +This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness. + +## Expected Behavior + +"good" (valid) Policy should be successfully created. If the creations is blocked, the test failed. If any creation is allowed, the test succeeds. + +## Reference Issue(s) + +5099 diff --git a/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml new file mode 100644 index 0000000000..70df88a12b --- /dev/null +++ b/test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: poltest +--- +apiVersion: kyverno.io/v2beta1 +kind: Policy +metadata: + name: pol-data-sync + namespace: poltest +spec: + rules: + - name: gen-zk + match: + any: + - resources: + kinds: + - Secret + generate: + synchronize: true + apiVersion: v1 + kind: ConfigMap + name: zk-kafka-address + namespace: poltest + data: + kind: ConfigMap + metadata: + labels: + somekey: somevalue + data: + ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181" + KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092" diff --git a/test/conformance/kuttl/kuttl-test.yaml b/test/conformance/kuttl/kuttl-test.yaml index 3fa41c09e6..46b20d677a 100644 --- a/test/conformance/kuttl/kuttl-test.yaml +++ b/test/conformance/kuttl/kuttl-test.yaml @@ -10,7 +10,7 @@ testDirs: - ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync - ./test/conformance/kuttl/generate/policy/standard/clone/nosync - ./test/conformance/kuttl/generate/policy/standard/clone/sync -# - ./test/conformance/kuttl/generate/policy/standard/data/sync +- ./test/conformance/kuttl/generate/policy/standard/data/sync # - ./test/conformance/kuttl/generate/policy/standard/data/nosync - ./test/conformance/kuttl/generate/clusterpolicy/cornercases # Mutate tests