fix: incorrect json patch validation (#6941)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 18:38:40 +00:00 · 2023-04-17 13:06:50 +02:00 · 2023-04-17 13:06:50 +02:00 · 76d1b37e68
commit 76d1b37e68
parent 0ecc9c3849
6 changed files with 91 additions and 20 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -87,27 +87,22 @@ func validateJSONPatchPathForForwardSlash(patch string) error {

 func validateJSONPatch(patch string, ruleIdx int) error {
 	patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" })
-
 	jsonPatch, err := yaml.ToJSON([]byte(patch))
 	if err != nil {
 		return err
 	}
-
 	decodedPatch, err := jsonpatch.DecodePatch(jsonPatch)
 	if err != nil {
 		return err
 	}
-
 	for _, operation := range decodedPatch {
 		op := operation.Kind()
 		if op != "add" && op != "remove" && op != "replace" {
 			return fmt.Errorf("unexpected kind: spec.rules[%d]: %s", ruleIdx, op)
 		}
-		v, _ := operation.ValueInterface()
-		if v != nil {
-			vs := fmt.Sprintf("%v", v)
-			if strings.ContainsAny(vs, `"`) || strings.ContainsAny(vs, `'`) {
-				return fmt.Errorf("missing quote around value: spec.rules[%d]: %s", ruleIdx, vs)
+		if op != "remove" {
+			if _, err := operation.ValueInterface(); err != nil {
+				return fmt.Errorf("invalid value: spec.rules[%d]: %s", ruleIdx, err)
 			}
 		}
 	}
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -1704,18 +1704,6 @@ func Test_ValidateJSON6902(t *testing.T) {

 	patch = `- path: "/metadata/labels/img"
  op: add
-  value: nginx"`
-	err = validateJSONPatch(patch, 0)
-	assert.Error(t, err, `missing quote around value: spec.rules[0]: nginx"`)
-
-	patch = `- path: "/metadata/labels/img"
-  op: add
-  value: {"node.kubernetes.io/role": test"}`
-	err = validateJSONPatch(patch, 0)
-	assert.Error(t, err, `missing quote around value: spec.rules[0]: map[node.kubernetes.io/role:test"]`)
-
-	patch = `- path: "/metadata/labels/img"
-  op: add
  value: "nginx"`
 	err = validateJSONPatch(patch, 0)
 	assert.NilError(t, err)
--- a/test/conformance/kuttl/policy-validation/cluster-policy/success/01-policies.yaml
+++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/01-policies.yaml
@ -0,0 +1,6 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+- policy-1.yaml
+assert:
+- policy-1-assert.yaml
--- a/test/conformance/kuttl/policy-validation/cluster-policy/success/README.md
+++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/README.md
@ -0,0 +1,11 @@
+## Description
+
+This test tries to create policies.
+
+## Expected Behavior
+
+Policies are valid and should be accepted.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/6937
--- a/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1-assert.yaml
+++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: vault-init-injector
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1.yaml
+++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1.yaml
@ -0,0 +1,62 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: vault-init-injector
+  annotations:
+    policies.kyverno.io/title: Inject vault init Container
+spec:
+  background: false
+  validationFailureAction: Audit
+  rules:
+  - name: inject-vault-sidecar
+    match:
+      any:
+      - resources:
+          kinds:
+          - Deployment
+    preconditions:
+      all:
+      - key: "{{ request.object.spec.template.metadata.annotations.\"vault.k8s.corp.com/inject\"  || ''}}"
+        operator: Equals
+        value: "true"
+      - key: vault-init
+        operator: AnyNotIn
+        value: "{{ request.object.spec.template.spec.initContainers[].name || ['']}}"
+    mutate:
+      patchesJson6902: |-
+        - op: add
+          path: /spec/template/spec/initContainers
+          value: 
+            - name: vault-init
+              image: registry.corp.com/infrastructure/vault-init:dev-53
+              imagePullPolicy: IfNotPresent
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 64M
+                limits:
+                  cpu: 500m
+                  memory: 128M
+              volumeMounts:
+              - mountPath: "/secret"
+                name: vault-secret
+              env:
+              - name: VAULT_ENTRY
+                valueFrom:
+                  fieldRef:
+                    apiVersion: v1
+                    fieldPath: metadata.annotations["vault.k8s.corp.com/role"]
+        - op: add
+          path: /spec/template/spec/volumes/-1
+          value:
+            name: vault-secret
+            emptyDir:
+              medium: Memory
+        - op: add
+          path: /spec/template/spec/containers/0/volumeMounts/-1
+          value:
+            mountPath: "/secret"
+            name: vault-secret
+        - op: add
+          path: /spec/template/metadata/annotations/config.linkerd.io~1skip-outbound-ports
+          value: "8200"