1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 12:17:56 +00:00

fix: add a copy method to the policy context (#10236)

* fix: add a copy method to the policy context

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: add a CLI test

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

* chore: remove mutate changes

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

---------

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-05-21 22:29:09 +07:00 committed by GitHub
parent e58d7120c6
commit 57b2c5fe4f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 83 additions and 1 deletions

View file

@ -27,4 +27,5 @@ type PolicyContext interface {
SetElement(element unstructured.Unstructured) SetElement(element unstructured.Unstructured)
JSONContext() enginecontext.Interface JSONContext() enginecontext.Interface
Copy() PolicyContext
} }

View file

@ -222,7 +222,7 @@ func (v *validator) validateElements(ctx context.Context, foreach kyvernov1.ForE
} }
v.policyContext.JSONContext().Reset() v.policyContext.JSONContext().Reset()
policyContext := v.policyContext policyContext := v.policyContext.Copy()
if err := engineutils.AddElementToContext(policyContext, element, index, v.nesting, elementScope); err != nil { if err := engineutils.AddElementToContext(policyContext, element, index, v.nesting, elementScope); err != nil {
v.log.Error(err, "failed to add element to context") v.log.Error(err, "failed to add element to context")
return engineapi.RuleError(v.rule.Name, engineapi.Validation, "failed to process foreach", err), applyCount return engineapi.RuleError(v.rule.Name, engineapi.Validation, "failed to process foreach", err), applyCount

View file

@ -6,6 +6,7 @@ import (
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
"github.com/kyverno/kyverno/pkg/config" "github.com/kyverno/kyverno/pkg/config"
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
enginectx "github.com/kyverno/kyverno/pkg/engine/context" enginectx "github.com/kyverno/kyverno/pkg/engine/context"
"github.com/kyverno/kyverno/pkg/engine/jmespath" "github.com/kyverno/kyverno/pkg/engine/jmespath"
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission" admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
@ -125,6 +126,10 @@ func (c *PolicyContext) JSONContext() enginectx.Interface {
return c.jsonContext return c.jsonContext
} }
func (c PolicyContext) Copy() engineapi.PolicyContext {
return &c
}
// Mutators // Mutators
func (c PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext { func (c PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {

View file

@ -0,0 +1,21 @@
apiVersion: cli.kyverno.io/v1alpha1
kind: Test
metadata:
name: kyverno-test.yaml
policies:
- policy.yaml
resources:
- resource.yaml
results:
- kind: Service
policy: restrict-service-ports
resources:
- service-example-port-22
result: pass
rule: restrict-nodeport
- kind: Service
policy: restrict-service-ports
resources:
- service-example-port-22
result: pass
rule: restrict-port-range

View file

@ -0,0 +1,44 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-service-ports
spec:
validationFailureAction: Enforce
background: true
rules:
- name: restrict-port-range
match:
any:
- resources:
kinds:
- Service
preconditions:
all:
- key: "{{ request.object.spec.type }}"
operator: Equals
value: 'LoadBalancer'
validate:
message: >-
Only approved ports may be used for LoadBalancer services.
foreach:
- list: request.object.spec.ports[]
deny:
conditions:
all:
- key: "{{ element.port }}"
operator: AnyNotIn
value:
- 22
- 80
- 443
- name: restrict-nodeport
match:
any:
- resources:
kinds:
- Service
validate:
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
pattern:
spec:
=(type): "!NodePort"

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: service-example-port-22
spec:
selector:
app: example
ports:
- port: 22
targetPort: 22
type: LoadBalancer