From 478f32b8b414a8081eb367e88c284f0709599034 Mon Sep 17 00:00:00 2001 From: Yashvardhan Kukreja Date: Wed, 17 Feb 2021 02:36:07 +0530 Subject: [PATCH] fix: allowed templatised values to be exempted from validation checks (#1599) Signed-off-by: Yashvardhan Kukreja --- pkg/policy/validate.go | 8 ++++++- pkg/policy/validate_test.go | 48 +++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 6b937df387..aaeac78ea2 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -530,7 +530,13 @@ func validateConditionValuesKeyRequestOperation(c kyverno.Condition) (string, er } switch reflect.TypeOf(c.Value).Kind() { case reflect.String: - if !valuesAllowed[c.Value.(string)] { + valueStr := c.Value.(string) + // allow templatized values like {{ config-map.data.sample-key }} + // because they might be actually pointing to a rightful value in the provided config-map + if len(valueStr) >= 4 && valueStr[:2] == "{{" && valueStr[len(valueStr)-2:] == "}}" { + return "", nil + } + if !valuesAllowed[valueStr] { return fmt.Sprintf("value: %s", c.Value.(string)), fmt.Errorf("unknown value '%s' found under the 'value' field. Only the following values are allowed: [CREATE, UPDATE, DELETE, CONNECT]", c.Value.(string)) } case reflect.Slice: diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index 56273f955b..b971d676c5 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -312,6 +312,54 @@ func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_ExpectedValue( assert.NilError(t, err) } +func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_RightfullyTemplatizedValue(t *testing.T) { + denyConditions := []byte(` + [ + { + "key":"{{request.operation}}", + "operator":"Equals", + "value":"{{ \"ops-cm\".data.\"deny-ops\"}}" + }, + { + "key":"{{ request.operation }}", + "operator":"NotEquals", + "value":"UPDATE" + } + ] + `) + + var dcs []kyverno.Condition + err := json.Unmarshal(denyConditions, &dcs) + assert.NilError(t, err) + + _, err = validateConditions(dcs, "conditions") + assert.NilError(t, err) +} + +func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_WrongfullyTemplatizedValue(t *testing.T) { + denyConditions := []byte(` + [ + { + "key":"{{request.operation}}", + "operator":"Equals", + "value":"{{ \"ops-cm\".data.\"deny-ops\" }" + }, + { + "key":"{{ request.operation }}", + "operator":"NotEquals", + "value":"UPDATE" + } + ] + `) + + var dcs []kyverno.Condition + err := json.Unmarshal(denyConditions, &dcs) + assert.NilError(t, err) + + _, err = validateConditions(dcs, "conditions") + assert.Assert(t, err != nil) +} + func Test_Validate_PreconditionsValuesString_KeyRequestOperation_UnknownValue(t *testing.T) { preConditions := []byte(` [