mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix: namespace label matching for Namespace (#7837)

Browse source 
* Feat: namespaceLabel matching for ns

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Fix: update kuttl tests

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting 2023-07-20 18:34:07 +08:00 committed by GitHub
parent 5a8caaf4fe
commit 537612b609
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 40 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
pkg/engine/utils/match.go
View file

@ -115,14 +115,17 @@ func doesResourceMatchConditionBlock(
}
}
if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" &&
(resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) {
hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels)
if err != nil {
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
} else {
if !hasPassed {
errs = append(errs, fmt.Errorf("namespace selector does not match labels"))
if conditionBlock.NamespaceSelector != nil {
if resource.GetKind() == "Namespace" {
errs = append(errs, fmt.Errorf("namespace selector is not applicable for namespace resource"))
} else if resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind()) {
hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels)
if err != nil {
errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err))
} else {
if !hasPassed {
errs = append(errs, fmt.Errorf("namespace selector does not match labels"))
}
}
}
}

0
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml → test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml
View file

0
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml → test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml
View file

13
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pod-reader-fake
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch

7
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml Normal file
View file

@ -0,0 +1,7 @@
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: v1
kind: Namespace
name: test-wildcard

7
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml Normal file
View file

@ -0,0 +1,7 @@
# Specifying the kind as `TestStep` performs certain behaviors like this delete operation.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
delete:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
name: pod-reader-fake

3
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md
View file

@ -9,4 +9,5 @@ The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass`
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/6015
https://github.com/kyverno/kyverno/issues/6015
https://github.com/kyverno/kyverno/issues/7771