mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: add clone check before validating namespace policy (#5459)

Browse source 
fix: add clone check before validate clone namespace

- fix data policy validation
- add kuttl tests to validate the behaviour

Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com>
This commit is contained in:
Prateek Pandey 2022-11-25 12:49:22 +05:30 committed by GitHub
parent 925f0cf182
commit 42221a93e4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 117 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/policy/validate.go
View file

@ -1097,8 +1097,10 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources
if rule.Generation.Namespace != policyNamespace { if rule.Generation.Namespace != policyNamespace {
return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace) return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace)
} }
if rule.Generation.Clone.Namespace != policyNamespace { if rule.Generation.Clone.Name != "" {
return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resource in other namespace, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace) if rule.Generation.Clone.Namespace != policyNamespace {
return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resources to or from other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace)
}
} }
} else { } else {
if rule.Generation.Namespace != "" { if rule.Generation.Namespace != "" {

2
pkg/policy/validate_test.go
View file

@ -1184,7 +1184,7 @@ func Test_Namespaced_Generate_Policy(t *testing.T) {
} }
}`), }`),
policyNamespace: "poltest", policyNamespace: "poltest",
expectedError: errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resource in other namespace, expected: poltest, received: default"), expectedError: errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resources to or from other namespaces, expected: poltest, received: default"),
}, },
{ {
description: "Do not mention the namespace to generate cluster scoped resource", description: "Do not mention the namespace to generate cluster scoped resource",

13
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/01-script-try-create.yaml Normal file
View file

@ -0,0 +1,13 @@
## Checks that the manifests.yaml file CANNOT be successfully created. If it can, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f policy.yaml
then
echo "Tested failed. Policy was created when it shouldn't have been."
exit 1
else
echo "Test succeeded. Policy was not created as intended."
exit 0
fi

13
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/README.md Normal file
View file

@ -0,0 +1,13 @@
## Description
This test performs two checks to ensure that a "bad" Policy, one in which a user may attempt to cross-Namespace generate a resource, is blocked from creation.
This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness.
## Expected Behavior
"bad" (invalid) Policy should fail to be created. If all the creations are blocked, the test succeeds. If any creation is allowed, the test fails.
## Reference Issue(s)
5099

27
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-invalid/policy.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kyverno.io/v2beta1
kind: Policy
metadata:
name: pol-data-sync
namespace: poltest
spec:
rules:
- name: gen-zk
match:
any:
- resources:
kinds:
- Secret
generate:
synchronize: true
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: test
data:
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

13
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/01-script-try-create.yaml Normal file
View file

@ -0,0 +1,13 @@
## Checks that the manifests.yaml file CAN be successfully created. If it can not, fail the test as this is incorrect.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f policy.yaml
then
echo "Test succeeded. Policy was created as intended."
exit 0
else
echo "Tested failed. Policy was not created when it should have been."
exit 1
fi

13
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/README.md Normal file
View file

@ -0,0 +1,13 @@
## Description
This test performs a check to ensure that a "good" Policy, one in which a user may attempt to in-Namespace generate a resource, is allowed to be created.
This test is basically identical to a similar one in which sync is disabled and the results should be the same. In this test, the setting of `sync` is irrelevant yet is tested here for completeness.
## Expected Behavior
"good" (valid) Policy should be successfully created. If the creations is blocked, the test failed. If any creation is allowed, the test succeeds.
## Reference Issue(s)
5099

32
test/conformance/kuttl/generate/policy/standard/data/sync/pol-data-sync-valid/policy.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: v1
kind: Namespace
metadata:
name: poltest
---
apiVersion: kyverno.io/v2beta1
kind: Policy
metadata:
name: pol-data-sync
namespace: poltest
spec:
rules:
- name: gen-zk
match:
any:
- resources:
kinds:
- Secret
generate:
synchronize: true
apiVersion: v1
kind: ConfigMap
name: zk-kafka-address
namespace: poltest
data:
kind: ConfigMap
metadata:
labels:
somekey: somevalue
data:
ZK_ADDRESS: "192.168.10.10:2181,192.168.10.11:2181,192.168.10.12:2181"
KAFKA_ADDRESS: "192.168.10.13:9092,192.168.10.14:9092,192.168.10.15:9092"

2
test/conformance/kuttl/kuttl-test.yaml
View file

@ -10,7 +10,7 @@ testDirs:
- ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync - ./test/conformance/kuttl/generate/clusterpolicy/standard/data/nosync
- ./test/conformance/kuttl/generate/policy/standard/clone/nosync - ./test/conformance/kuttl/generate/policy/standard/clone/nosync
- ./test/conformance/kuttl/generate/policy/standard/clone/sync - ./test/conformance/kuttl/generate/policy/standard/clone/sync
# - ./test/conformance/kuttl/generate/policy/standard/data/sync - ./test/conformance/kuttl/generate/policy/standard/data/sync
# - ./test/conformance/kuttl/generate/policy/standard/data/nosync # - ./test/conformance/kuttl/generate/policy/standard/data/nosync
- ./test/conformance/kuttl/generate/clusterpolicy/cornercases - ./test/conformance/kuttl/generate/clusterpolicy/cornercases
# Mutate tests # Mutate tests