add validate checks for generate

2025-04-08 10:04:25 +00:00 · 2019-10-03 14:47:50 -07:00 · 2019-10-03 14:47:50 -07:00 · 572418795a
commit 572418795a
parent 9d0b4c7d30
3 changed files with 135 additions and 24 deletions
--- a/pkg/api/kyverno/v1alpha1/utils.go
+++ b/pkg/api/kyverno/v1alpha1/utils.go
@ -90,9 +90,6 @@ func hasExistingAnchor(str string) (bool, string) {
 // generate: none
 // invalid anchors: ~(),!()
 func hasValidAnchors(anchors []anchor, str string) (bool, string) {
-	if len(anchors) == 0 {
-		return true, str
-	}
 	if wrappedWithAttributes(str) {
 		return mustWrapWithAnchors(anchors, str)
 	}
--- a/pkg/api/kyverno/v1alpha1/validate.go
+++ b/pkg/api/kyverno/v1alpha1/validate.go
@ -78,14 +78,9 @@ func (r Rule) Validate() []error {
 		errs = append(errs, vErrs...)
 	}

-	// validate validation rule
-	// if err := r.ValidateOverlayPattern(); err != nil {
-	// 	errs = append(errs, err)
-	// }
-
-	// if patternErrs := r.ValidateExistingAnchor(); patternErrs != nil {
-	// 	errs = append(errs, patternErrs...)
-	// }
+	if err := r.Generation.Validate(); err != nil {
+		errs = append(errs, err)
+	}

 	return errs
 }
@ -228,13 +223,28 @@ func (v Validation) ValidateOverlayPattern() error {
 }

 // Validate returns error if generator is configured incompletely
-func (gen *Generation) Validate() error {
+func (gen Generation) Validate() error {
+	if reflect.DeepEqual(gen, Generation{}) {
+		return nil
+	}
+
 	if gen.Data == nil && gen.Clone == (CloneFrom{}) {
-		return fmt.Errorf("Neither data nor clone (source) of %s is specified", gen.Kind)
+		return fmt.Errorf("neither data nor clone (source) of %s is specified", gen.Kind)
 	}
 	if gen.Data != nil && gen.Clone != (CloneFrom{}) {
-		return fmt.Errorf("Both data nor clone (source) of %s are specified", gen.Kind)
+		return fmt.Errorf("both data nor clone (source) of %s are specified", gen.Kind)
 	}
+
+	if _, err := validateAnchors(nil, gen.Data, "/"); err != nil {
+		return fmt.Errorf("anchors are not allowed on generate rule")
+	}
+
+	if !reflect.DeepEqual(gen.Clone, CloneFrom{}) {
+		if _, err := validateAnchors(nil, gen.Clone, "/"); err != nil {
+			return fmt.Errorf("anchors are not allowed on generate rule")
+		}
+	}
+
 	return nil
 }

--- a/pkg/api/kyverno/v1alpha1/validate_test.go
+++ b/pkg/api/kyverno/v1alpha1/validate_test.go
@ -679,14 +679,7 @@ func Test_Validate_Policy(t *testing.T) {
 		"spec": {
 		   "rules": [
 			  {
-				 "name": "validate-user-privilege",
-				 "exclude": {
-					"resources": {
-					   "namespaces": [
-						  "kube-system"
-					   ]
-					}
-				 },
+				 "name": "validate-runAsNonRoot",
 				 "match": {
 					"resources": {
 					   "kinds": [
@ -709,7 +702,7 @@ func Test_Validate_Policy(t *testing.T) {
 								   "^(containers)": [
 									  {
 										 "securityContext": {
-											"runAsNonRoot": true
+											"runAsNonRoot": "true"
 										 }
 									  }
 								   ]
@ -719,6 +712,39 @@ func Test_Validate_Policy(t *testing.T) {
 					   }
 					]
 				 }
+			  },
+			  {
+				 "name": "validate-allowPrivilegeEscalation",
+				 "match": {
+					"resources": {
+					   "kinds": [
+						  "Deployment"
+					   ],
+					   "selector": {
+						  "matchLabels": {
+							 "app.type": "prod"
+						  }
+					   }
+					}
+				 },
+				 "validate": {
+					"message": "validate container security contexts",
+					"pattern": {
+					   "spec": {
+						  "template": {
+							 "spec": {
+								"^(containers)": [
+								   {
+									  "securityContext": {
+										 "allowPrivilegeEscalation": "false"
+									  }
+								   }
+								]
+							 }
+						  }
+					   }
+					}
+				 }
 			  }
 		   ]
 		}
@ -805,6 +831,7 @@ func Test_Validate_Mutate_Mismatched(t *testing.T) {
 	assert.Assert(t, len(errs) != 0)
 }

+// TODO: validate patches
 func Test_Validate_Mutate_Unsupported(t *testing.T) {
 	// case 1
 	rawMutate := []byte(`
@ -848,7 +875,7 @@ func Test_Validate_Validate_ValidAnchor(t *testing.T) {
 	{
 		"message": "Root user is not allowed. Set runAsNonRoot to true.",
 		"anyPattern": [
-		   {
+		    {
 			  "spec": {
 				 "securityContext": {
 					"(runAsNonRoot)": true
@ -976,3 +1003,80 @@ func Test_Validate_Validate_Unsupported(t *testing.T) {
 	errs = validate.Validate()
 	assert.Assert(t, len(errs) != 0)
 }
+
+func Test_Validate_Generate(t *testing.T) {
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "podSelector": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var generate Generation
+	err := json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, err)
+
+	err = generate.Validate()
+	assert.NilError(t, err)
+}
+
+func Test_Validate_Generate_HasAnchors(t *testing.T) {
+	rawGenerate := []byte(`
+	{
+		"kind": "NetworkPolicy",
+		"name": "defaultnetworkpolicy",
+		"data": {
+		   "spec": {
+			  "(podSelector)": {},
+			  "policyTypes": [
+				 "Ingress",
+				 "Egress"
+			  ],
+			  "ingress": [
+				 {}
+			  ],
+			  "egress": [
+				 {}
+			  ]
+		   }
+		}
+	 }`)
+
+	var generate Generation
+	err := json.Unmarshal(rawGenerate, &generate)
+	assert.NilError(t, err)
+
+	err = generate.Validate()
+	assert.Assert(t, err != nil)
+
+	rawGenerateNew := []byte(`
+	{
+		"kind": "ConfigMap",
+		"name": "copied-cm",
+		"clone": {
+		   "^(namespace)": "default",
+		   "name": "game"
+		}
+	 }`)
+
+	var generateNew Generation
+	err = json.Unmarshal(rawGenerateNew, &generateNew)
+	assert.NilError(t, err)
+
+	err = generate.Validate()
+	assert.Assert(t, err != nil)
+}