mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: incorrect json patch validation (#6941)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
0ecc9c3849
commit
76d1b37e68
6 changed files with 91 additions and 20 deletions
|
|
@ -87,27 +87,22 @@ func validateJSONPatchPathForForwardSlash(patch string) error {
|
||||||
|
|
||||||
func validateJSONPatch(patch string, ruleIdx int) error {
|
func validateJSONPatch(patch string, ruleIdx int) error {
|
||||||
patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" })
|
patch = variables.ReplaceAllVars(patch, func(s string) string { return "kyvernojsonpatchvariable" })
|
||||||
|
|
||||||
jsonPatch, err := yaml.ToJSON([]byte(patch))
|
jsonPatch, err := yaml.ToJSON([]byte(patch))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
decodedPatch, err := jsonpatch.DecodePatch(jsonPatch)
|
decodedPatch, err := jsonpatch.DecodePatch(jsonPatch)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, operation := range decodedPatch {
|
for _, operation := range decodedPatch {
|
||||||
op := operation.Kind()
|
op := operation.Kind()
|
||||||
if op != "add" && op != "remove" && op != "replace" {
|
if op != "add" && op != "remove" && op != "replace" {
|
||||||
return fmt.Errorf("unexpected kind: spec.rules[%d]: %s", ruleIdx, op)
|
return fmt.Errorf("unexpected kind: spec.rules[%d]: %s", ruleIdx, op)
|
||||||
}
|
}
|
||||||
v, _ := operation.ValueInterface()
|
if op != "remove" {
|
||||||
if v != nil {
|
if _, err := operation.ValueInterface(); err != nil {
|
||||||
vs := fmt.Sprintf("%v", v)
|
return fmt.Errorf("invalid value: spec.rules[%d]: %s", ruleIdx, err)
|
||||||
if strings.ContainsAny(vs, `"`) || strings.ContainsAny(vs, `'`) {
|
|
||||||
return fmt.Errorf("missing quote around value: spec.rules[%d]: %s", ruleIdx, vs)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1704,18 +1704,6 @@ func Test_ValidateJSON6902(t *testing.T) {
|
||||||
|
|
||||||
patch = `- path: "/metadata/labels/img"
|
patch = `- path: "/metadata/labels/img"
|
||||||
op: add
|
op: add
|
||||||
value: nginx"`
|
|
||||||
err = validateJSONPatch(patch, 0)
|
|
||||||
assert.Error(t, err, `missing quote around value: spec.rules[0]: nginx"`)
|
|
||||||
|
|
||||||
patch = `- path: "/metadata/labels/img"
|
|
||||||
op: add
|
|
||||||
value: {"node.kubernetes.io/role": test"}`
|
|
||||||
err = validateJSONPatch(patch, 0)
|
|
||||||
assert.Error(t, err, `missing quote around value: spec.rules[0]: map[node.kubernetes.io/role:test"]`)
|
|
||||||
|
|
||||||
patch = `- path: "/metadata/labels/img"
|
|
||||||
op: add
|
|
||||||
value: "nginx"`
|
value: "nginx"`
|
||||||
err = validateJSONPatch(patch, 0)
|
err = validateJSONPatch(patch, 0)
|
||||||
assert.NilError(t, err)
|
assert.NilError(t, err)
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: kuttl.dev/v1beta1
|
||||||
|
kind: TestStep
|
||||||
|
apply:
|
||||||
|
- policy-1.yaml
|
||||||
|
assert:
|
||||||
|
- policy-1-assert.yaml
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
## Description
|
||||||
|
|
||||||
|
This test tries to create policies.
|
||||||
|
|
||||||
|
## Expected Behavior
|
||||||
|
|
||||||
|
Policies are valid and should be accepted.
|
||||||
|
|
||||||
|
## Reference Issue(s)
|
||||||
|
|
||||||
|
https://github.com/kyverno/kyverno/issues/6937
|
||||||
|
|
@ -0,0 +1,9 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: vault-init-injector
|
||||||
|
status:
|
||||||
|
conditions:
|
||||||
|
- reason: Succeeded
|
||||||
|
status: "True"
|
||||||
|
type: Ready
|
||||||
|
|
@ -0,0 +1,62 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: vault-init-injector
|
||||||
|
annotations:
|
||||||
|
policies.kyverno.io/title: Inject vault init Container
|
||||||
|
spec:
|
||||||
|
background: false
|
||||||
|
validationFailureAction: Audit
|
||||||
|
rules:
|
||||||
|
- name: inject-vault-sidecar
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- Deployment
|
||||||
|
preconditions:
|
||||||
|
all:
|
||||||
|
- key: "{{ request.object.spec.template.metadata.annotations.\"vault.k8s.corp.com/inject\" || ''}}"
|
||||||
|
operator: Equals
|
||||||
|
value: "true"
|
||||||
|
- key: vault-init
|
||||||
|
operator: AnyNotIn
|
||||||
|
value: "{{ request.object.spec.template.spec.initContainers[].name || ['']}}"
|
||||||
|
mutate:
|
||||||
|
patchesJson6902: |-
|
||||||
|
- op: add
|
||||||
|
path: /spec/template/spec/initContainers
|
||||||
|
value:
|
||||||
|
- name: vault-init
|
||||||
|
image: registry.corp.com/infrastructure/vault-init:dev-53
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 64M
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 128M
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: "/secret"
|
||||||
|
name: vault-secret
|
||||||
|
env:
|
||||||
|
- name: VAULT_ENTRY
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: metadata.annotations["vault.k8s.corp.com/role"]
|
||||||
|
- op: add
|
||||||
|
path: /spec/template/spec/volumes/-1
|
||||||
|
value:
|
||||||
|
name: vault-secret
|
||||||
|
emptyDir:
|
||||||
|
medium: Memory
|
||||||
|
- op: add
|
||||||
|
path: /spec/template/spec/containers/0/volumeMounts/-1
|
||||||
|
value:
|
||||||
|
mountPath: "/secret"
|
||||||
|
name: vault-secret
|
||||||
|
- op: add
|
||||||
|
path: /spec/template/metadata/annotations/config.linkerd.io~1skip-outbound-ports
|
||||||
|
value: "8200"
|
||||||
Loading…
Add table
Reference in a new issue