diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 12b22b9c37..f7e8eda4bb 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -45,6 +45,7 @@ jobs: - exceptions - generate - mutate + - policy-validation - rangeoperators - rbac - reports diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 18d9d754aa..817da2202c 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -190,6 +190,80 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf rules := autogen.ComputeRules(policy) rulesPath := specPath.Child("rules") + + for _, rule := range rules { + // Validate Kind with match resource kinds + match := rule.MatchResources + exclude := rule.ExcludeResources + for _, value := range match.Any { + wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + if !slices.Contains(value.ResourceDescription.Kinds, "*") { + err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("the kind defined in the any match resource is invalid: %w", err) + } + } + } + for _, value := range match.All { + wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + if !slices.Contains(value.ResourceDescription.Kinds, "*") { + err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("the kind defined in the all match resource is invalid: %w", err) + } + } + } + for _, value := range exclude.Any { + wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + if !slices.Contains(value.ResourceDescription.Kinds, "*") { + err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("the kind defined in the any exclude resource is invalid: %w", err) + } + } + } + for _, value := range exclude.All { + wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + if !slices.Contains(value.ResourceDescription.Kinds, "*") { + err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("the kind defined in the all exclude resource is invalid: %w", err) + } + } + } + if !slices.Contains(rule.MatchResources.Kinds, "*") { + err := validateKinds(rule.MatchResources.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("match resource kind is invalid: %w", err) + } + err = validateKinds(rule.ExcludeResources.Kinds, mock, background, rule.HasValidate(), client) + if err != nil { + return warnings, fmt.Errorf("exclude resource kind is invalid: %w", err) + } + } else { + wildcardErr := validateWildcard(rule.MatchResources.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + wildcardErr = validateWildcard(rule.ExcludeResources.Kinds, spec, rule) + if wildcardErr != nil { + return warnings, wildcardErr + } + } + } + for i, rule := range rules { rulePath := rulesPath.Index(i) // check for forward slash @@ -290,83 +364,13 @@ func Validate(policy, oldPolicy kyvernov1.PolicyInterface, client dclient.Interf } } - // Validate Kind with match resource kinds - match := rule.MatchResources - exclude := rule.ExcludeResources - for _, value := range match.Any { - wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - if !slices.Contains(value.ResourceDescription.Kinds, "*") { - err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("the kind defined in the any match resource is invalid: %w", err) - } - } - } - for _, value := range match.All { - wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - if !slices.Contains(value.ResourceDescription.Kinds, "*") { - err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("the kind defined in the all match resource is invalid: %w", err) - } - } - } - for _, value := range exclude.Any { - wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - if !slices.Contains(value.ResourceDescription.Kinds, "*") { - err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("the kind defined in the any exclude resource is invalid: %w", err) - } - } - } - for _, value := range exclude.All { - wildcardErr := validateWildcard(value.ResourceDescription.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - if !slices.Contains(value.ResourceDescription.Kinds, "*") { - err := validateKinds(value.ResourceDescription.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("the kind defined in the all exclude resource is invalid: %w", err) - } - } - } - - if !slices.Contains(rule.MatchResources.Kinds, "*") { - err := validateKinds(rule.MatchResources.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("match resource kind is invalid: %w", err) - } - err = validateKinds(rule.ExcludeResources.Kinds, mock, background, rule.HasValidate(), client) - if err != nil { - return warnings, fmt.Errorf("exclude resource kind is invalid: %w", err) - } - } else { - wildcardErr := validateWildcard(rule.MatchResources.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - wildcardErr = validateWildcard(rule.ExcludeResources.Kinds, spec, rule) - if wildcardErr != nil { - return warnings, wildcardErr - } - } - // Validate string values in labels if !isLabelAndAnnotationsString(rule) { return warnings, fmt.Errorf("labels and annotations supports only string values, \"use double quotes around the non string values\"") } + match := rule.MatchResources + exclude := rule.ExcludeResources matchKinds := match.GetKinds() excludeKinds := exclude.GetKinds() allKinds := make([]string, 0, len(matchKinds)+len(excludeKinds)) @@ -1212,8 +1216,8 @@ func validateWildcard(kinds []string, spec *kyvernov1.Spec, rule kyvernov1.Rule) // and found in the cache, returns error if not found. It also returns an error if background scanning // is enabled for a subresource. func validateKinds(kinds []string, mock, backgroundScanningEnabled, isValidationPolicy bool, client dclient.Interface) error { - for _, k := range kinds { - if !mock { + if !mock { + for _, k := range kinds { group, version, kind, subresource := kubeutils.ParseKindSelector(k) gvrss, err := client.Discovery().FindResources(group, version, kind, subresource) if err != nil { @@ -1224,8 +1228,8 @@ func validateKinds(kinds []string, mock, backgroundScanningEnabled, isValidation } if backgroundScanningEnabled { for gvrs := range gvrss { - if strings.Contains(gvrs.Resource, "/") { - return fmt.Errorf("background scan enabled with subresource %s", subresource) + if gvrs.SubResource != "" { + return fmt.Errorf("background scan enabled with subresource %s", k) } } } diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/01-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/01-policy.yaml new file mode 100644 index 0000000000..d6fc49e215 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/01-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-1.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/02-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/02-policy.yaml new file mode 100644 index 0000000000..54aa430f85 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/02-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-2.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/03-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/03-policy.yaml new file mode 100644 index 0000000000..80a7c02b57 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/03-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-3.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/04-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/04-policy.yaml new file mode 100644 index 0000000000..b5d649ad65 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/04-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-4.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/05-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/05-policy.yaml new file mode 100644 index 0000000000..85f9d148e1 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/05-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-5.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/README.md new file mode 100644 index 0000000000..5e2e96aea6 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies targeting subresources and `background` set to `true`. + +## Expected Behavior + +Every policies creation is expected to fail. diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-1.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-1.yaml new file mode 100644 index 0000000000..1e105b2f9b --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Scale + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-2.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-2.yaml new file mode 100644 index 0000000000..ee896b4535 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/scale + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-3.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-3.yaml new file mode 100644 index 0000000000..42f110e636 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-3.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/* + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-4.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-4.yaml new file mode 100644 index 0000000000..1636a5b6ba --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-4.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/*' + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-5.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-5.yaml new file mode 100644 index 0000000000..0ba57c663b --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/background-subresource/policy-5.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/status' + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/01-policy.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/01-policy.yaml new file mode 100644 index 0000000000..d6fc49e215 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/01-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-1.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/02-policy.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/02-policy.yaml new file mode 100644 index 0000000000..54aa430f85 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/02-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-2.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/03-policy.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/03-policy.yaml new file mode 100644 index 0000000000..80a7c02b57 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/03-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-3.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/04-policy.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/04-policy.yaml new file mode 100644 index 0000000000..b5d649ad65 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/04-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-4.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/05-policy.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/05-policy.yaml new file mode 100644 index 0000000000..85f9d148e1 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/05-policy.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: policy-5.yaml + shouldFail: true diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/README.md b/test/conformance/kuttl/policy-validation/policy/background-subresource/README.md new file mode 100644 index 0000000000..5e2e96aea6 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/README.md @@ -0,0 +1,7 @@ +## Description + +This test tries to create various policies targeting subresources and `background` set to `true`. + +## Expected Behavior + +Every policies creation is expected to fail. diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-1.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-1.yaml new file mode 100644 index 0000000000..34b13f1639 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-1.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Scale + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-2.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-2.yaml new file mode 100644 index 0000000000..8be60c2d65 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-2.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/scale + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-3.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-3.yaml new file mode 100644 index 0000000000..1a30fa8798 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-3.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - Pod/* + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-4.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-4.yaml new file mode 100644 index 0000000000..ca34bbbf1d --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-4.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/*' + validate: + deny: {} diff --git a/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-5.yaml b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-5.yaml new file mode 100644 index 0000000000..33e9a6611b --- /dev/null +++ b/test/conformance/kuttl/policy-validation/policy/background-subresource/policy-5.yaml @@ -0,0 +1,16 @@ +apiVersion: kyverno.io/v1 +kind: Policy +metadata: + name: deny +spec: + validationFailureAction: Audit + background: true + rules: + - name: deny + match: + any: + - resources: + kinds: + - '*/status' + validate: + deny: {}