Request operation value by default to CREATE (#3894) (#4026)

* set  by default  request.operation to CREATE

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

* Added test cases

Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com>

Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>

Co-authored-by: vivek kumar sahu <vivekkumarsahu650@gmail.com>

cmd/cli/kubectl-kyverno/utils/common/common.go

@@ -285,6 +285,20 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
 			return variables, globalValMap, valuesMapResource, namespaceSelectorMap, sanitizederror.NewWithError("failed to decode yaml", err)
 		}
 
+		if values.GlobalValues == nil {
+			values.GlobalValues = make(map[string]string)
+			values.GlobalValues["request.operation"] = "CREATE"
+			log.Log.V(3).Info("Defaulting request.operation to CREATE")
+
+		} else {
+			if val, ok := values.GlobalValues["request.operation"]; ok {
+				if val == "" {
+					values.GlobalValues["request.operation"] = "CREATE"
+					log.Log.V(3).Info("Globally request.operation value provided by the user is empty, defaulting it to CREATE", "request.opearation: ", values.GlobalValues)
+				}
+			}
+		}
+
 		globalValMap = values.GlobalValues
 
 		for _, p := range values.Policies {
@@ -295,12 +309,6 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
 						r.Values["request.operation"] = "CREATE"
 						log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name)
 					}
-				} else {
-					if r.Values == nil {
-						r.Values = make(map[string]interface{})
-					}
-					r.Values["request.operation"] = "CREATE"
-					log.Log.V(3).Info("No request.operation found, defaulting it to CREATE", "policy", p.Name)
 				}
 				for variableInFile := range r.Values {
 					if strings.Contains(variableInFile, "request.object") {
@@ -333,6 +341,11 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
 		fmt.Printf(("\nNOTICE: request.object.* variables are automatically parsed from the supplied resource. Ignoring value of variables `%v`.\n"), reqObjVars)
 	}
 
+	if globalValMap != nil {
+		globalValMap["request.operation"] = "CREATE"
+		log.Log.V(3).Info("Defaulting request.operation to CREATE")
+	}
+
 	storePolicies := make([]store.Policy, 0)
 	for policyName, ruleMap := range valuesMapRule {
 		storeRules := make([]store.Rule, 0)

test/cli/test/default_value_to_create/check-supplemental-groups.yaml

@@ -0,0 +1,40 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: psp-check-supplemental-groups
+  annotations:
+    policies.kyverno.io/title: Check supplementalGroups
+    policies.kyverno.io/category: PSP Migration
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      Supplemental groups control which group IDs containers add and can coincide with
+      restricted groups on the host. Pod Security Policies (PSP) allowed a range of
+      these group IDs to be specified which were allowed. This policy ensures any Pod
+      may only specify supplementalGroup IDs between 100-200 or 500-600.
+spec:
+  background: false
+  validationFailureAction: audit
+  rules:
+  - name: supplementalgroup-ranges
+    match:
+      any:
+      - resources:
+          kinds:
+            - Pod
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: In
+        value:
+        - CREATE
+        - UPDATE
+    validate:
+      message: Any supplementalGroup ID must be within the range 100-200 or 500-600.
+      pattern:
+        spec:
+          =(securityContext):
+            =(supplementalGroups): 100-200 | 500-600

test/cli/test/default_value_to_create/kyverno-test.yaml

@@ -0,0 +1,16 @@
+name: psp-check-supplemental-groups
+policies:
+  - check-supplemental-groups.yaml
+resources:
+  - resource.yaml
+results:
+  - policy: psp-check-supplemental-groups
+    rule: supplementalgroup-ranges
+    resource: badpod01
+    kind: Pod
+    result: fail
+  - policy: psp-check-supplemental-groups
+    rule: supplementalgroup-ranges
+    resource: goodpod01
+    kind: Pod
+    result: pass

test/cli/test/default_value_to_create/resource.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: badpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  securityContext:
+    supplementalGroups:
+    - 0
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: goodpod01
+spec:
+  containers:
+  - name: container01
+    image: dummyimagename
+  securityContext:
+    supplementalGroups:
+    - 100