1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00

fix: use validate.message in case there is no message associated with the CEL expression (#9025)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2023-11-27 13:06:52 +02:00 committed by GitHub
parent 6883e7c031
commit 697188dfa1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 78 additions and 1 deletions

View file

@ -49,7 +49,7 @@ func (h validateCELHandler) Process(
// check if a corresponding validating admission policy is generated
vapStatus := policyContext.Policy().GetStatus().ValidatingAdmissionPolicy
if vapStatus.Generated {
logger.V(3).Info("skipping CEL validation due to the generation of its corresponding validating admission policy")
logger.V(3).Info("skipping CEL validation due to the generation of its corresponding ValidatingAdmissionPolicy")
return resource, nil
}
@ -79,6 +79,11 @@ func (h validateCELHandler) Process(
// extract CEL expressions used in validations and audit annotations
variables := rule.Validation.CEL.Variables
validations := rule.Validation.CEL.Expressions
for i := range validations {
if validations[i].Message == "" {
validations[i].Message = rule.Validation.Message
}
}
auditAnnotations := rule.Validation.CEL.AuditAnnotations
optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: true}

View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

View file

@ -0,0 +1,14 @@
## Checks that there is a message displayed when the resource is blocked.
apiVersion: kuttl.dev/v1beta1
kind: TestStep
commands:
- script: |
if kubectl apply -f pod-fail.yaml 2>&1 | grep -q 'host-port-pods: hostPort must either be unset or set to 0'
then
echo "Test succeeded. The message is displayed."
exit 0
else
echo "Test failed. The message isn't found."
exit 1
fi

View file

@ -0,0 +1,11 @@
## Description
This test creates a policy that uses CEL expressions to disallow host ports in pods.
## Expected Behavior
The pod `pod-fail` is blocked, and a message is displayed indicating the reason of failure.
## Reference Issue(s)
8826

View file

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: webserver-pod
spec:
containers:
- name: webserver
image: nginx:latest
ports:
- hostPort: 80
containerPort: 8080

View file

@ -0,0 +1,9 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-port-in-pods
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready

View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-host-port-in-pods
annotations:
pod-policies.kyverno.io/autogen-controllers: none
spec:
validationFailureAction: Enforce
background: false
rules:
- name: host-port-pods
match:
any:
- resources:
kinds:
- Pod
validate:
message: "hostPort must either be unset or set to 0"
cel:
expressions:
- expression: "object.spec.containers.all(container, !has(container.ports) || container.ports.all(port, !has(port.hostPort) || port.hostPort == 0))"