From 537612b609a5dfd616aa2795a5874c7e038f7294 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 20 Jul 2023 18:34:07 +0800 Subject: [PATCH] fix: namespace label matching for Namespace (#7837) * Feat: namespaceLabel matching for ns Signed-off-by: ShutingZhao * Fix: update kuttl tests Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/engine/utils/match.go | 19 +++++++++++-------- .../{02-policy.yaml => 01-policy.yaml} | 0 .../{01-ns.yaml => 02-ns.yaml} | 0 .../04-clusterrole.yaml | 13 +++++++++++++ .../05-delete-ns.yaml | 7 +++++++ .../06-delete-clulsterrole.yaml | 7 +++++++ .../ns-selector-with-wildcard-kind/README.md | 3 ++- 7 files changed, 40 insertions(+), 9 deletions(-) rename test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/{02-policy.yaml => 01-policy.yaml} (100%) rename test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/{01-ns.yaml => 02-ns.yaml} (100%) create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml diff --git a/pkg/engine/utils/match.go b/pkg/engine/utils/match.go index 073c888ec5..239cabb5e2 100644 --- a/pkg/engine/utils/match.go +++ b/pkg/engine/utils/match.go @@ -115,14 +115,17 @@ func doesResourceMatchConditionBlock( } } - if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && - (resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) { - hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels) - if err != nil { - errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err)) - } else { - if !hasPassed { - errs = append(errs, fmt.Errorf("namespace selector does not match labels")) + if conditionBlock.NamespaceSelector != nil { + if resource.GetKind() == "Namespace" { + errs = append(errs, fmt.Errorf("namespace selector is not applicable for namespace resource")) + } else if resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind()) { + hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels) + if err != nil { + errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err)) + } else { + if !hasPassed { + errs = append(errs, fmt.Errorf("namespace selector does not match labels")) + } } } } diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml similarity index 100% rename from test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml rename to test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml similarity index 100% rename from test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml rename to test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml new file mode 100644 index 0000000000..c87165f23b --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-reader-fake +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml new file mode 100644 index 0000000000..f477c32bee --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml @@ -0,0 +1,7 @@ +# Specifying the kind as `TestStep` performs certain behaviors like this delete operation. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: v1 + kind: Namespace + name: test-wildcard diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml new file mode 100644 index 0000000000..18915c7ff0 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml @@ -0,0 +1,7 @@ +# Specifying the kind as `TestStep` performs certain behaviors like this delete operation. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + name: pod-reader-fake diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md index 40377d9fae..5057c54da7 100644 --- a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md @@ -9,4 +9,5 @@ The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` ## Reference Issue(s) -https://github.com/kyverno/kyverno/issues/6015 \ No newline at end of file +https://github.com/kyverno/kyverno/issues/6015 +https://github.com/kyverno/kyverno/issues/7771 \ No newline at end of file