From 44c0206463e8a809223f3ef175e3418981de780d Mon Sep 17 00:00:00 2001 From: shuting Date: Mon, 17 Jul 2023 17:13:22 +0800 Subject: [PATCH] Feat: cloneList rule validation (#7823) * Feat: cloneList rule validation Signed-off-by: ShutingZhao * Test: add kuttl tests for npol Signed-off-by: ShutingZhao * Fix: split negative tests Signed-off-by: ShutingZhao * Test: add kuttl tests for cpol Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- api/kyverno/v1/clusterpolicy_types.go | 2 +- api/kyverno/v1/common_types.go | 53 ++++++++++--- api/kyverno/v1/policy_types.go | 2 +- .../cloneList/01-clusterrole.yaml | 18 +++++ .../clusterpolicy/cloneList/02-check.yaml | 11 +++ .../clusterpolicy/cloneList/README.md | 15 ++++ .../cloneList/policy-fail-1.yaml | 24 ++++++ .../cloneList/policy-fail-2.yaml | 24 ++++++ .../cloneList/policy-fail-3.yaml | 23 ++++++ .../clusterpolicy/cloneList/policy-pass.yaml | 78 +++++++++++++++++++ .../validation/policy/cloneList/01-ns.yaml | 4 + .../validation/policy/cloneList/02-check.yaml | 11 +++ .../validation/policy/cloneList/README.md | 15 ++++ .../policy/cloneList/policy-fail-1.yaml | 26 +++++++ .../policy/cloneList/policy-fail-2.yaml | 25 ++++++ .../policy/cloneList/policy-fail-3.yaml | 25 ++++++ .../policy/cloneList/policy-pass.yaml | 73 +++++++++++++++++ 17 files changed, 415 insertions(+), 14 deletions(-) create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/02-check.yaml create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/README.md create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml create mode 100644 test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-pass.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/01-ns.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/02-check.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/README.md create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-1.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-2.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-3.yaml create mode 100644 test/conformance/kuttl/generate/validation/policy/cloneList/policy-pass.yaml diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go index ef00710912..650782d9fd 100644 --- a/api/kyverno/v1/clusterpolicy_types.go +++ b/api/kyverno/v1/clusterpolicy_types.go @@ -121,7 +121,7 @@ func (p *ClusterPolicy) ValidateSchema() bool { func (p *ClusterPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) { errs = append(errs, ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...) errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...) - errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...) + errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.GetNamespace(), clusterResources)...) return errs } diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index 5a26008be0..46d47a710a 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -626,7 +626,7 @@ type CloneList struct { func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) { if namespaced { - if err := g.validateTargetsScope(clusterResources, policyNamespace); err != nil { + if err := g.validateNamespacedTargetsScope(clusterResources, policyNamespace); err != nil { errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), fmt.Sprintf("target resource scope mismatched: %v ", err))) } } @@ -669,6 +669,45 @@ func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace errs = append(errs, field.Forbidden(path.Child("generate").Child("name"), "name can not be empty")) } } + + errs = append(errs, g.ValidateCloneList(path.Child("generate"), namespaced, policyNamespace, clusterResources)...) + return errs +} + +func (g *Generation) ValidateCloneList(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) { + if len(g.CloneList.Kinds) == 0 { + return nil + } + + if namespaced { + for _, kind := range g.CloneList.Kinds { + if clusterResources.Has(kind) { + errs = append(errs, field.Forbidden(path.Child("cloneList").Child("kinds"), fmt.Sprintf("the source in cloneList must be a namespaced resource: %v", kind))) + } + if g.CloneList.Namespace != policyNamespace { + errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), fmt.Sprintf("a namespaced policy cannot clone resources from other namespace, expected: %v, received: %v", policyNamespace, g.CloneList.Namespace))) + } + } + } + + clusterScope := clusterResources.Has(g.CloneList.Kinds[0]) + for _, gvk := range g.CloneList.Kinds[1:] { + if clusterScope != clusterResources.Has(gvk) { + errs = append(errs, field.Forbidden(path.Child("cloneList").Child("kinds"), "mixed scope of target resources is forbidden")) + break + } + clusterScope = clusterScope && clusterResources.Has(gvk) + } + + if !clusterScope { + if g.CloneList.Namespace == "" { + errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), "namespace is required for namespaced target resources")) + } + } else if clusterScope && !namespaced { + if g.CloneList.Namespace != "" { + errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), "namespace is forbidden for cluster-wide target resources")) + } + } return errs } @@ -680,7 +719,7 @@ func (g *Generation) SetData(in apiextensions.JSON) { g.RawData = ToJSON(in) } -func (g *Generation) validateTargetsScope(clusterResources sets.Set[string], policyNamespace string) error { +func (g *Generation) validateNamespacedTargetsScope(clusterResources sets.Set[string], policyNamespace string) error { target := g.ResourceSpec if clusterResources.Has(target.GetAPIVersion() + "/" + target.GetKind()) { return fmt.Errorf("the target must be a namespaced resource: %v/%v", target.GetAPIVersion(), target.GetKind()) @@ -695,16 +734,6 @@ func (g *Generation) validateTargetsScope(clusterResources sets.Set[string], pol return fmt.Errorf("a namespaced policy cannot clone resources from other namespaces, expected: %v, received: %v", policyNamespace, g.Clone.Namespace) } } - - for _, kind := range g.CloneList.Kinds { - if clusterResources.Has(kind) { - return fmt.Errorf("the source in cloneList must be a namespaced resource: %v/%v", target.GetAPIVersion(), target.GetKind()) - } - if g.CloneList.Namespace != policyNamespace { - return fmt.Errorf("a namespaced policy cannot clone resources from other namespace, expected: %v, received: %v", policyNamespace, g.CloneList.Namespace) - } - } - return nil } diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go index 3c24d70d95..a6d3e0ecee 100644 --- a/api/kyverno/v1/policy_types.go +++ b/api/kyverno/v1/policy_types.go @@ -122,7 +122,7 @@ func (p *Policy) ValidateSchema() bool { func (p *Policy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) { errs = append(errs, ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...) errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...) - errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...) + errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.GetNamespace(), clusterResources)...) return errs } diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml new file mode 100644 index 0000000000..15a18f4f8d --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/01-clusterrole.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:manage-clusterrole + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + verbs: + - create + - update + - delete + - get \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/02-check.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/02-check.yaml new file mode 100644 index 0000000000..d8ce73c7c2 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/02-check.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-pass.yaml + shouldFail: false +- file: policy-fail-1.yaml + shouldFail: true +- file: policy-fail-2.yaml + shouldFail: true +- file: policy-fail-3.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/README.md b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/README.md new file mode 100644 index 0000000000..2f48997b96 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/README.md @@ -0,0 +1,15 @@ +## Description + +This test validate cloneList sources scopes and the namespace settings. + +## Expected Behavior + +These tests checks: +1. the mixed scoped of clone sources cannot be defined +2. the namespace must be set if clone namespaced resources +3. the namespace must not be set if clone cluster-wide resources + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7801 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml new file mode 100644 index 0000000000..ef0575594d --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-1.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-1 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # mixed scope + kinds: + - v1/Secret + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml new file mode 100644 index 0000000000..5b29fa76c3 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-2.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-2 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # ns is forbidden for cluster-wide resource + namespace: default + kinds: + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml new file mode 100644 index 0000000000..c246207fa5 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-fail-3.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: cpol-target-scope-validation-fail-3 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + # missing ns for namespaced resource + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-pass.yaml b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-pass.yaml new file mode 100644 index 0000000000..c22ec4e3e5 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/clusterpolicy/cloneList/policy-pass.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-1 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + namespace: default + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-2 +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - Namespace + generate: + namespace: "{{request.object.metadata.name}}" + synchronize: true + cloneList: + kinds: + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: target-scope-validation-pass-3 +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - Namespace + exclude: + any: + - resources: + namespaces: + - kube-system + - default + - kube-public + - kyverno + generate: + namespace: "{{request.object.metadata.name}}" + synchronize : true + cloneList: + namespace: default + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/01-ns.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/01-ns.yaml new file mode 100644 index 0000000000..37fe3d1121 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/01-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: target-scope-validation-fail-ns \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/02-check.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/02-check.yaml new file mode 100644 index 0000000000..d8ce73c7c2 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/02-check.yaml @@ -0,0 +1,11 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-pass.yaml + shouldFail: false +- file: policy-fail-1.yaml + shouldFail: true +- file: policy-fail-2.yaml + shouldFail: true +- file: policy-fail-3.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/README.md b/test/conformance/kuttl/generate/validation/policy/cloneList/README.md new file mode 100644 index 0000000000..22c8a51c17 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/README.md @@ -0,0 +1,15 @@ +## Description + +This test validate clone sources scopes and the namespace settings. + +## Expected Behavior + +These tests checks: +1. the mixed scoped of clone sources cannot be defined +2. a namespace policy cannot clone a cluster-wide resource +3. the clone source namespace must be set for a namespaced policy + + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7801 \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-1.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-1.yaml new file mode 100644 index 0000000000..08fb73fde4 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-1.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-1 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + # mixed scope of resources + kinds: + - v1/Secret + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-2.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-2.yaml new file mode 100644 index 0000000000..7bfadd6806 --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-2.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-2 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + # namespace policy cannot generate cluster scoped resources + - rbac.authorization.k8s.io/v1/ClusterRole + selector: + matchLabels: + allowedToBeCloned: "true" diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-3.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-3.yaml new file mode 100644 index 0000000000..20de6dc89f --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-fail-3.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-fail-3 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + # missing namespace for npol + # namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" \ No newline at end of file diff --git a/test/conformance/kuttl/generate/validation/policy/cloneList/policy-pass.yaml b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-pass.yaml new file mode 100644 index 0000000000..76bb87849f --- /dev/null +++ b/test/conformance/kuttl/generate/validation/policy/cloneList/policy-pass.yaml @@ -0,0 +1,73 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-1 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-2 + namespace: target-scope-validation-fail-ns +spec: + rules: + - name: clone-multiple-basic-create-policy-rule + match: + any: + - resources: + kinds: + - ServiceAccount + generate: + namespace: target-scope-validation-fail-ns + synchronize: true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + selector: + matchLabels: + allowedToBeCloned: "true" +--- +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: target-scope-validation-pass-3 + namespace: target-scope-validation-fail-ns +spec: + generateExisting: false + rules: + - name: sync-secret + match: + any: + - resources: + kinds: + - ConfigMap + generate: + namespace: target-scope-validation-fail-ns + synchronize : true + cloneList: + namespace: target-scope-validation-fail-ns + kinds: + - v1/Secret + - v1/ConfigMap + selector: + matchLabels: + allowedToBeCloned: "true"