fix: allowed templatised values to be exempted from validation checks (#1599)

Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
2025-03-06 07:57:07 +00:00 · 2021-02-17 02:36:07 +05:30 · 2021-02-17 02:36:07 +05:30 · 478f32b8b4
commit 478f32b8b4
parent a21195f362
2 changed files with 55 additions and 1 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -530,7 +530,13 @@ func validateConditionValuesKeyRequestOperation(c kyverno.Condition) (string, er
 	}
 	switch reflect.TypeOf(c.Value).Kind() {
 	case reflect.String:
-		if !valuesAllowed[c.Value.(string)] {
+		valueStr := c.Value.(string)
+		// allow templatized values like {{ config-map.data.sample-key }}
+		// because they might be actually pointing to a rightful value in the provided config-map
+		if len(valueStr) >= 4 && valueStr[:2] == "{{" && valueStr[len(valueStr)-2:] == "}}" {
+			return "", nil
+		}
+		if !valuesAllowed[valueStr] {
 			return fmt.Sprintf("value: %s", c.Value.(string)), fmt.Errorf("unknown value '%s' found under the 'value' field. Only the following values are allowed: [CREATE, UPDATE, DELETE, CONNECT]", c.Value.(string))
 		}
 	case reflect.Slice:
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -312,6 +312,54 @@ func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_ExpectedValue(
 	assert.NilError(t, err)
 }

+func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_RightfullyTemplatizedValue(t *testing.T) {
+	denyConditions := []byte(`
+	[
+		{
+			"key":"{{request.operation}}",
+			"operator":"Equals",
+			"value":"{{ \"ops-cm\".data.\"deny-ops\"}}"
+		},
+		{
+			"key":"{{ request.operation }}",
+			"operator":"NotEquals",
+			"value":"UPDATE"
+		}
+	]
+	`)
+
+	var dcs []kyverno.Condition
+	err := json.Unmarshal(denyConditions, &dcs)
+	assert.NilError(t, err)
+
+	_, err = validateConditions(dcs, "conditions")
+	assert.NilError(t, err)
+}
+
+func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_WrongfullyTemplatizedValue(t *testing.T) {
+	denyConditions := []byte(`
+	[
+		{
+			"key":"{{request.operation}}",
+			"operator":"Equals",
+			"value":"{{ \"ops-cm\".data.\"deny-ops\" }"
+		},
+		{
+			"key":"{{ request.operation }}",
+			"operator":"NotEquals",
+			"value":"UPDATE"
+		}
+	]
+	`)
+
+	var dcs []kyverno.Condition
+	err := json.Unmarshal(denyConditions, &dcs)
+	assert.NilError(t, err)
+
+	_, err = validateConditions(dcs, "conditions")
+	assert.Assert(t, err != nil)
+}
+
 func Test_Validate_PreconditionsValuesString_KeyRequestOperation_UnknownValue(t *testing.T) {
 	preConditions := []byte(`
 	[