Support context variables when using foreach CLI (#3637)

* Support context variables when using foreach CLI * add testcases
2024-12-14 11:57:48 +00:00 · 2022-04-25 22:06:31 +05:30 · 2022-04-25 22:06:31 +05:30 · 56c90fd087
commit 56c90fd087
parent a205bc3e2e
9 changed files with 101 additions and 6 deletions
--- a/cmd/cli/kubectl-kyverno/utils/common/common.go
+++ b/cmd/cli/kubectl-kyverno/utils/common/common.go
@ -52,8 +52,9 @@ type Policy struct {
 }

 type Rule struct {
-	Name   string            `json:"name"`
-	Values map[string]string `json:"values"`
+	Name          string              `json:"name"`
+	Values        map[string]string   `json:"values"`
+	ForeachValues map[string][]string `json:"foreachValues"`
 }

 type Values struct {
@ -405,8 +406,9 @@ func GetVariable(variablesString, valuesFile string, fs billy.Filesystem, isGit
 		storeRules := make([]store.Rule, 0)
 		for _, rule := range ruleMap {
 			storeRules = append(storeRules, store.Rule{
-				Name:   rule.Name,
-				Values: rule.Values,
+				Name:          rule.Name,
+				Values:        rule.Values,
+				ForeachValues: rule.ForeachValues,
 			})
 		}
 		storePolicies = append(storePolicies, store.Policy{
--- a/cmd/cli/kubectl-kyverno/utils/store/store.go
+++ b/cmd/cli/kubectl-kyverno/utils/store/store.go
@ -4,6 +4,7 @@ import "github.com/kyverno/kyverno/pkg/registryclient"

 var Mock, RegistryAccess bool
 var ContextVar Context
+var ForeachElement int

 func SetMock(mock bool) {
 	Mock = mock
@ -13,6 +14,14 @@ func GetMock() bool {
 	return Mock
 }

+func SetForeachElement(foreachElement int) {
+	ForeachElement = foreachElement
+}
+
+func GetForeachElement() int {
+	return ForeachElement
+}
+
 func SetRegistryAccess(access bool) {
 	if access {
 		registryclient.InitializeLocal()
@ -64,6 +73,7 @@ type Policy struct {
 }

 type Rule struct {
-	Name   string            `json:"name"`
-	Values map[string]string `json:"values"`
+	Name          string              `json:"name"`
+	Values        map[string]string   `json:"values"`
+	ForeachValues map[string][]string `json:"foreachValues"`
 }
--- a/pkg/engine/jsonContext.go
+++ b/pkg/engine/jsonContext.go
@ -51,6 +51,14 @@ func LoadContext(logger logr.Logger, contextEntries []kyverno.ContextEntry, ctx
 				}
 			}
 		}
+
+		if rule != nil && len(rule.ForeachValues) > 0 {
+			for key, value := range rule.ForeachValues {
+				if err := ctx.JSONContext.AddVariable(key, value[store.ForeachElement]); err != nil {
+					return err
+				}
+			}
+		}
 	} else {
 		for _, entry := range contextEntries {
 			if entry.ConfigMap != nil {
--- a/pkg/engine/mutation.go
+++ b/pkg/engine/mutation.go
@ -8,6 +8,7 @@ import (
 	"github.com/go-logr/logr"
 	gojmespath "github.com/jmespath/go-jmespath"
 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
 	"github.com/kyverno/kyverno/pkg/autogen"
 	"github.com/kyverno/kyverno/pkg/engine/mutate"
 	"github.com/kyverno/kyverno/pkg/engine/response"
@ -213,6 +214,7 @@ func mutateElements(name string, foreach *kyverno.ForEachMutation, ctx *PolicyCo
 	for i, e := range elements {
 		ctx.JSONContext.Reset()
 		ctx := ctx.Copy()
+		store.SetForeachElement(i)
 		if err := addElementToContext(ctx, e, i, false); err != nil {
 			return mutateError(err, fmt.Sprintf("failed to add element to mutate.foreach[%d].context", i))
 		}
--- a/pkg/engine/validation.go
+++ b/pkg/engine/validation.go
@ -16,6 +16,7 @@ import (

 	"github.com/go-logr/logr"
 	gojmespath "github.com/jmespath/go-jmespath"
+	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
 	"github.com/kyverno/kyverno/pkg/engine/response"
 	"github.com/kyverno/kyverno/pkg/engine/validate"
 	"github.com/kyverno/kyverno/pkg/engine/variables"
@ -291,6 +292,7 @@ func (v *validator) validateElements(foreach *kyverno.ForEachValidation, element
 	applyCount := 0

 	for i, e := range elements {
+		store.SetForeachElement(i)
 		v.ctx.JSONContext.Reset()

 		ctx := v.ctx.Copy()
--- a/test/cli/test/context-foreach/kyverno-test.yaml
+++ b/test/cli/test/context-foreach/kyverno-test.yaml
@ -0,0 +1,17 @@
+name: block-images
+policies:
+  -  policy.yaml
+resources:
+  - resources.yaml
+variables: values.yaml
+results:
+- policy: block-images
+  rule: block-images
+  resource: good-pod
+  kind: Pod
+  result: pass
+- policy: block-images
+  rule: block-images
+  resource: bad-pod
+  kind: Pod
+  result: fail
--- a/test/cli/test/context-foreach/policy.yaml
+++ b/test/cli/test/context-foreach/policy.yaml
@ -0,0 +1,26 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-images
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: block-images
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: "Images containing built-in volumes are prohibited."
+      foreach:
+      - list: "request.object.spec.containers"
+        context: 
+        - name: imageData
+          imageRegistry: 
+            reference: "{{ element.name }}"
+        deny:
+          conditions:
+            - key: "{{ imageData }}"
+              operator: Equals
+              value: "{{ element.name }}"
--- a/test/cli/test/context-foreach/resources.yaml
+++ b/test/cli/test/context-foreach/resources.yaml
@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: good-pod
+spec:
+  containers:
+  - name: busybox
+    image: busybox:1.28
+  - name: busybox1
+    image: busybox:1.28
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: bad-pod
+spec:
+  containers:
+  - name: foo
+    image: busybox:1.28
+  - name: foo1
+    image: busybox:1.28
--- a/test/cli/test/context-foreach/values.yaml
+++ b/test/cli/test/context-foreach/values.yaml
@ -0,0 +1,6 @@
+policies:
+- name: block-images
+  rules:
+    - name: block-images
+      foreachValues:
+        imageData: ["foo", "foo1"]