diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index eab42d6b10..d3817d4d27 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -87,27 +87,22 @@ func validateJSONPatchPathForForwardSlash(patch string) error { func validateJSONPatch(patch string, ruleIdx int) error { patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" }) - jsonPatch, err := yaml.ToJSON([]byte(patch)) if err != nil { return err } - decodedPatch, err := jsonpatch.DecodePatch(jsonPatch) if err != nil { return err } - for _, operation := range decodedPatch { op := operation.Kind() if op != "add" && op != "remove" && op != "replace" { return fmt.Errorf("unexpected kind: spec.rules[%d]: %s", ruleIdx, op) } - v, _ := operation.ValueInterface() - if v != nil { - vs := fmt.Sprintf("%v", v) - if strings.ContainsAny(vs, `"`) || strings.ContainsAny(vs, `'`) { - return fmt.Errorf("missing quote around value: spec.rules[%d]: %s", ruleIdx, vs) + if op != "remove" { + if _, err := operation.ValueInterface(); err != nil { + return fmt.Errorf("invalid value: spec.rules[%d]: %s", ruleIdx, err) } } } diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go index 443029219b..58fd74f583 100644 --- a/pkg/policy/validate_test.go +++ b/pkg/policy/validate_test.go @@ -1704,18 +1704,6 @@ func Test_ValidateJSON6902(t *testing.T) { patch = `- path: "/metadata/labels/img" op: add - value: nginx"` - err = validateJSONPatch(patch, 0) - assert.Error(t, err, `missing quote around value: spec.rules[0]: nginx"`) - - patch = `- path: "/metadata/labels/img" - op: add - value: {"node.kubernetes.io/role": test"}` - err = validateJSONPatch(patch, 0) - assert.Error(t, err, `missing quote around value: spec.rules[0]: map[node.kubernetes.io/role:test"]`) - - patch = `- path: "/metadata/labels/img" - op: add value: "nginx"` err = validateJSONPatch(patch, 0) assert.NilError(t, err) diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/success/01-policies.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/success/01-policies.yaml new file mode 100644 index 0000000000..92aad67a05 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/01-policies.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy-1.yaml +assert: +- policy-1-assert.yaml diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/success/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/success/README.md new file mode 100644 index 0000000000..601e8fbdad --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/README.md @@ -0,0 +1,11 @@ +## Description + +This test tries to create policies. + +## Expected Behavior + +Policies are valid and should be accepted. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/6937 diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1-assert.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1-assert.yaml new file mode 100644 index 0000000000..689ed8e9dd --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: vault-init-injector +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1.yaml new file mode 100644 index 0000000000..1904697dc9 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/success/policy-1.yaml @@ -0,0 +1,62 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: vault-init-injector + annotations: + policies.kyverno.io/title: Inject vault init Container +spec: + background: false + validationFailureAction: Audit + rules: + - name: inject-vault-sidecar + match: + any: + - resources: + kinds: + - Deployment + preconditions: + all: + - key: "{{ request.object.spec.template.metadata.annotations.\"vault.k8s.corp.com/inject\" || ''}}" + operator: Equals + value: "true" + - key: vault-init + operator: AnyNotIn + value: "{{ request.object.spec.template.spec.initContainers[].name || ['']}}" + mutate: + patchesJson6902: |- + - op: add + path: /spec/template/spec/initContainers + value: + - name: vault-init + image: registry.corp.com/infrastructure/vault-init:dev-53 + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 64M + limits: + cpu: 500m + memory: 128M + volumeMounts: + - mountPath: "/secret" + name: vault-secret + env: + - name: VAULT_ENTRY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.annotations["vault.k8s.corp.com/role"] + - op: add + path: /spec/template/spec/volumes/-1 + value: + name: vault-secret + emptyDir: + medium: Memory + - op: add + path: /spec/template/spec/containers/0/volumeMounts/-1 + value: + mountPath: "/secret" + name: vault-secret + - op: add + path: /spec/template/metadata/annotations/config.linkerd.io~1skip-outbound-ports + value: "8200"