mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 20:20:22 +00:00
fix: add a copy method to the policy context (#10236)
* fix: add a copy method to the policy context Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: add a CLI test Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: remove mutate changes Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
e58d7120c6
commit
57b2c5fe4f
6 changed files with 83 additions and 1 deletions
|
@ -27,4 +27,5 @@ type PolicyContext interface {
|
||||||
SetElement(element unstructured.Unstructured)
|
SetElement(element unstructured.Unstructured)
|
||||||
|
|
||||||
JSONContext() enginecontext.Interface
|
JSONContext() enginecontext.Interface
|
||||||
|
Copy() PolicyContext
|
||||||
}
|
}
|
||||||
|
|
|
@ -222,7 +222,7 @@ func (v *validator) validateElements(ctx context.Context, foreach kyvernov1.ForE
|
||||||
}
|
}
|
||||||
|
|
||||||
v.policyContext.JSONContext().Reset()
|
v.policyContext.JSONContext().Reset()
|
||||||
policyContext := v.policyContext
|
policyContext := v.policyContext.Copy()
|
||||||
if err := engineutils.AddElementToContext(policyContext, element, index, v.nesting, elementScope); err != nil {
|
if err := engineutils.AddElementToContext(policyContext, element, index, v.nesting, elementScope); err != nil {
|
||||||
v.log.Error(err, "failed to add element to context")
|
v.log.Error(err, "failed to add element to context")
|
||||||
return engineapi.RuleError(v.rule.Name, engineapi.Validation, "failed to process foreach", err), applyCount
|
return engineapi.RuleError(v.rule.Name, engineapi.Validation, "failed to process foreach", err), applyCount
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
|
||||||
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
|
||||||
"github.com/kyverno/kyverno/pkg/config"
|
"github.com/kyverno/kyverno/pkg/config"
|
||||||
|
engineapi "github.com/kyverno/kyverno/pkg/engine/api"
|
||||||
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
enginectx "github.com/kyverno/kyverno/pkg/engine/context"
|
||||||
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
"github.com/kyverno/kyverno/pkg/engine/jmespath"
|
||||||
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
|
||||||
|
@ -125,6 +126,10 @@ func (c *PolicyContext) JSONContext() enginectx.Interface {
|
||||||
return c.jsonContext
|
return c.jsonContext
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c PolicyContext) Copy() engineapi.PolicyContext {
|
||||||
|
return &c
|
||||||
|
}
|
||||||
|
|
||||||
// Mutators
|
// Mutators
|
||||||
|
|
||||||
func (c PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {
|
func (c PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext {
|
||||||
|
|
21
test/cli/test/multiple-validate-rules/kyverno-test.yaml
Normal file
21
test/cli/test/multiple-validate-rules/kyverno-test.yaml
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
apiVersion: cli.kyverno.io/v1alpha1
|
||||||
|
kind: Test
|
||||||
|
metadata:
|
||||||
|
name: kyverno-test.yaml
|
||||||
|
policies:
|
||||||
|
- policy.yaml
|
||||||
|
resources:
|
||||||
|
- resource.yaml
|
||||||
|
results:
|
||||||
|
- kind: Service
|
||||||
|
policy: restrict-service-ports
|
||||||
|
resources:
|
||||||
|
- service-example-port-22
|
||||||
|
result: pass
|
||||||
|
rule: restrict-nodeport
|
||||||
|
- kind: Service
|
||||||
|
policy: restrict-service-ports
|
||||||
|
resources:
|
||||||
|
- service-example-port-22
|
||||||
|
result: pass
|
||||||
|
rule: restrict-port-range
|
44
test/cli/test/multiple-validate-rules/policy.yaml
Normal file
44
test/cli/test/multiple-validate-rules/policy.yaml
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: restrict-service-ports
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- name: restrict-port-range
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Service
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ request.object.spec.type }}"
|
||||||
|
operator: Equals
|
||||||
|
value: 'LoadBalancer'
|
||||||
|
validate:
|
||||||
|
message: >-
|
||||||
|
Only approved ports may be used for LoadBalancer services.
|
||||||
|
foreach:
|
||||||
|
- list: request.object.spec.ports[]
|
||||||
|
deny:
|
||||||
|
conditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ element.port }}"
|
||||||
|
operator: AnyNotIn
|
||||||
|
value:
|
||||||
|
- 22
|
||||||
|
- 80
|
||||||
|
- 443
|
||||||
|
- name: restrict-nodeport
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Service
|
||||||
|
validate:
|
||||||
|
message: "NodePort services are not allowed. This is {{ request.object.spec.type }}"
|
||||||
|
pattern:
|
||||||
|
spec:
|
||||||
|
=(type): "!NodePort"
|
11
test/cli/test/multiple-validate-rules/resource.yaml
Normal file
11
test/cli/test/multiple-validate-rules/resource.yaml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: service-example-port-22
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app: example
|
||||||
|
ports:
|
||||||
|
- port: 22
|
||||||
|
targetPort: 22
|
||||||
|
type: LoadBalancer
|
Loading…
Add table
Reference in a new issue