From 72524c792ceee99fd63e0057a15e7acc9ea01d69 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
Date: Wed, 22 Nov 2023 14:36:40 +0530
Subject: [PATCH] fix: update KeysAreMissing() to ignore negations in resource
 (#8953)

* fix: update KeysAreMissing() to ignore negations in resource

KeysAreMissing() checks if a key is missing in a resource, since a negation should not be present in the resource, it should not count as a missing key

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add tests

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: pod is supposed to fail

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 pkg/engine/anchor/anchormap.go                |  6 ++++-
 .../01-policy.yaml                            |  6 +++++
 .../failure-policy-ignore-anchor/02-pod.yaml  |  5 ++++
 .../failure-policy-ignore-anchor/README.md    | 11 +++++++++
 .../failure-policy-ignore-anchor/pod.yaml     | 12 ++++++++++
 .../policy-assert.yaml                        |  4 ++++
 .../failure-policy-ignore-anchor/policy.yaml  | 24 +++++++++++++++++++
 7 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml
 create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml

diff --git a/pkg/engine/anchor/anchormap.go b/pkg/engine/anchor/anchormap.go
index 9e45f2d45b..bbfda83051 100644
--- a/pkg/engine/anchor/anchormap.go
+++ b/pkg/engine/anchor/anchormap.go
@@ -18,8 +18,12 @@ func NewAnchorMap() *AnchorMap {
 // if any of (key)=false then return KeysAreMissing() as true
 // if all the keys exists in the pattern exists in resource then return KeysAreMissing() as false
 func (ac *AnchorMap) KeysAreMissing() bool {
-	for _, v := range ac.anchorMap {
+	for k, v := range ac.anchorMap {
 		if !v {
+			// Negations should not be present in the resource so they count as missing.
+			if a := Parse(k); IsNegation(a) {
+				continue
+			}
 			return true
 		}
 	}
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml
new file mode 100644
index 0000000000..b088ed7601
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml
@@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy.yaml
+assert:
+- policy-assert.yaml
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml
new file mode 100644
index 0000000000..b84fa7138a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- file: pod.yaml
+  shouldFail: true
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md
new file mode 100644
index 0000000000..6a01cc0c6b
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test verifies that when failurePolicy is set to to Ignore for a policy that was set to Enforce, Admission webhook denies requests when validation of a resource fails. The error should not get consumed by ignore failurePolicy 
+
+## Expected Behavior
+
+The pod should be not created.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/8916
\ No newline at end of file
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml
new file mode 100644
index 0000000000..472296498a
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: disallow-annotations-example
+  namespace: default
+  annotations:
+    kyverno-policies-test/key: disallowed
+spec:
+  containers:
+  - name: example
+    image: busybox
+    args: ["sleep", "infinity"]
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml
new file mode 100644
index 0000000000..d884d82d65
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml
@@ -0,0 +1,4 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-annotations
diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml
new file mode 100644
index 0000000000..eed8b5fc16
--- /dev/null
+++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml
@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-annotations
+spec:
+  background: true
+  failurePolicy: Ignore
+  rules:
+  - match:
+      all:
+      - resources:
+          kinds:
+          - Pod
+    name: disallow-annotations
+    validate:
+      message: One or more annotations is not allowed per the policies disallowed
+        values list.
+      pattern:
+        metadata:
+          =(annotations):
+            =(kyverno-policies-test/key): '!disallowed'
+            X(kyverno-policies-test/disallowed): "null"
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30