update validation logic

examples/best_practices/policy_validate_default_namespace.yaml

@@ -11,7 +11,7 @@ spec:
         - Pod
     validate:
       message: "A none 'default' namespace is required"
-      anyPattern:
+      pattern:
         - metadata:
             namespace: "!default"
   - name: check-namespace-exist
@@ -21,6 +21,6 @@ spec:
         - Pod
     validate:
       message: "A namespace is required"
-      anyPattern:
+      pattern:
         - metadata:
             namespace: "?*"

examples/best_practices/policy_validate_host_path.yaml

@@ -14,6 +14,5 @@ spec:
       pattern:
         spec:
           volumes:
-          - name: "*"
-            (hostPath):
+          - (hostPath):
               path: "!/var/lib"

examples/best_practices/policy_validate_hostpid_hosipc.yaml

@@ -15,7 +15,7 @@ spec:
         - Pod
     validate:
       message: "Disallow use of host's pid namespace and host's ipc namespace"
-      anyPattern:
+      pattern:
       - spec:
           hostPID: false
           hostIPC: false

examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml

@@ -14,5 +14,5 @@ spec:
       pattern:
         spec:
           containers:
-          - ^(image): "*:latest"
+          - (image): "*:latest"
             imagePullPolicy: "!IfNotPresent"

examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml

@@ -15,7 +15,7 @@ spec:
         - Pod
     validate:
       message: "Container should not have read-only rootfilesystem"
-      anyPattern:
+      pattern:
       - spec:
           container:
           - securityContext:

examples/policy_validate_healthChecks.yaml

@@ -14,7 +14,7 @@ spec:
       pattern:
         spec:
           containers:
-          - ^(name): "check-readiness"
+          - (name): "check-readiness"
             readinessProbe:
               successThreshold: ">1"
   - name: check-livenessProbe-exists
@@ -27,7 +27,7 @@ spec:
       pattern:
         spec:
           containers:
-          - ^(name): "check-liveness"
+          - (name): "check-liveness"
             livenessProbe:
               httpGet:
                 path: "?*"

examples/validate/check_memory_requests_same_yaml_relative.yaml

@@ -18,7 +18,7 @@ spec :
         pattern:
           spec:
             containers:
-              - ^(name): "*"
+              - (name): "*"
                 resources:
                   requests:
                     memory: "$(<=./../../lim(its/mem)ory)"

pkg/engine/validation.go

@@ -197,8 +197,13 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int
 		// - Existance
 		handler := CreateElementHandler(key, patternElement, path)
 		handlerPath, err := handler.Handle(resourceMap, origPattern)
+		// if there are resource values at same level, then anchor acts as conditional instead of a strict check
+		// but if there are non then its a if then check
 		if err != nil {
-			return handlerPath, err
+			if len(resources) == 0 {
+				return handlerPath, err
+			}
+			return "", nil
 		}
 	}
 	// Evaluate resources

pkg/engine/validation_test.go

@@ -2197,7 +2197,6 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) {
 					   "spec": {
 						  "volumes": [
 							 {
-								"name": "*",
 								"(hostPath)": {
 								   "path": "!/var/lib"
 								}

test/scenarios/test/scenario_validate_default_namespace.yaml

@@ -16,10 +16,10 @@ expected:
       rules:
         - name: check-default-namespace
           type: Validation
-          message: "Validation rule 'check-default-namespace' failed to validate patterns defined in anyPattern. A none 'default' namespace is required; anyPattern[0] failed at path /metadata/namespace/"
+          message: Validation rule 'check-default-namespace' failed at '/' for resource Pod/default/myapp-pod. A none 'default' namespace is required
           success: false
         - name: check-namespace-exist
           type: Validation
-          message: "Validation rule 'check-namespace-exist' anyPattern[0] succesfully validated"
-          success: true
+          message: Validation rule 'check-namespace-exist' failed at '/' for resource Pod/default/myapp-pod. A namespace is required
+          success: false
 

test/scenarios/test/scenario_validate_hostpid_hostipc.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-hostpid-hostipc
           type: Validation
-          message: Validation rule 'validate-hostpid-hostipc' failed to validate patterns defined in anyPattern. Disallow use of host's pid namespace and host's ipc namespace; anyPattern[0] failed at path /spec/hostIPC/
+          message: Validation rule 'validate-hostpid-hostipc' failed at '/' for resource Pod//nginx-with-hostpid. Disallow use of host's pid namespace and host's ipc namespace
           success: false   

test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml

@@ -14,5 +14,5 @@ expected:
       rules:
         - name: validate-not-readonly-rootfilesystem
           type: Validation
-          message: Validation rule 'validate-not-readonly-rootfilesystem' failed to validate patterns defined in anyPattern. Container should not have read-only rootfilesystem; anyPattern[0] failed at path /spec/container/
+          message: Validation rule 'validate-not-readonly-rootfilesystem' failed at '/' for resource Pod//ghost-with-readonly-rootfilesystem. Container should not have read-only rootfilesystem
           success: false