diff --git a/examples/best_practices/policy_validate_default_namespace.yaml b/examples/best_practices/policy_validate_default_namespace.yaml index e77dc7394a..f0e1b411c8 100644 --- a/examples/best_practices/policy_validate_default_namespace.yaml +++ b/examples/best_practices/policy_validate_default_namespace.yaml @@ -11,7 +11,7 @@ spec: - Pod validate: message: "A none 'default' namespace is required" - anyPattern: + pattern: - metadata: namespace: "!default" - name: check-namespace-exist @@ -21,6 +21,6 @@ spec: - Pod validate: message: "A namespace is required" - anyPattern: + pattern: - metadata: namespace: "?*" diff --git a/examples/best_practices/policy_validate_host_path.yaml b/examples/best_practices/policy_validate_host_path.yaml index 14cbcdc021..9a62a35e8d 100644 --- a/examples/best_practices/policy_validate_host_path.yaml +++ b/examples/best_practices/policy_validate_host_path.yaml @@ -14,6 +14,5 @@ spec: pattern: spec: volumes: - - name: "*" - (hostPath): + - (hostPath): path: "!/var/lib" diff --git a/examples/best_practices/policy_validate_hostpid_hosipc.yaml b/examples/best_practices/policy_validate_hostpid_hosipc.yaml index f06b9b3785..37061e9a3b 100644 --- a/examples/best_practices/policy_validate_hostpid_hosipc.yaml +++ b/examples/best_practices/policy_validate_hostpid_hosipc.yaml @@ -15,7 +15,7 @@ spec: - Pod validate: message: "Disallow use of host's pid namespace and host's ipc namespace" - anyPattern: + pattern: - spec: hostPID: false hostIPC: false diff --git a/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml b/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml index 972c236799..84a4dddce8 100644 --- a/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml +++ b/examples/best_practices/policy_validate_image_latest_ifnotpresent_deny.yaml @@ -14,5 +14,5 @@ spec: pattern: spec: containers: - - ^(image): "*:latest" + - (image): "*:latest" imagePullPolicy: "!IfNotPresent" \ No newline at end of file diff --git a/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml b/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml index a0085cb014..0455b6b8b0 100644 --- a/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml +++ b/examples/best_practices/policy_validate_not_readonly_rootfilesystem.yaml @@ -15,7 +15,7 @@ spec: - Pod validate: message: "Container should not have read-only rootfilesystem" - anyPattern: + pattern: - spec: container: - securityContext: diff --git a/examples/policy_validate_healthChecks.yaml b/examples/policy_validate_healthChecks.yaml index 5ea9eaf97e..41a5ce439e 100644 --- a/examples/policy_validate_healthChecks.yaml +++ b/examples/policy_validate_healthChecks.yaml @@ -14,7 +14,7 @@ spec: pattern: spec: containers: - - ^(name): "check-readiness" + - (name): "check-readiness" readinessProbe: successThreshold: ">1" - name: check-livenessProbe-exists @@ -27,7 +27,7 @@ spec: pattern: spec: containers: - - ^(name): "check-liveness" + - (name): "check-liveness" livenessProbe: httpGet: path: "?*" diff --git a/examples/validate/check_memory_requests_same_yaml_relative.yaml b/examples/validate/check_memory_requests_same_yaml_relative.yaml index 2657d63638..f13458f858 100644 --- a/examples/validate/check_memory_requests_same_yaml_relative.yaml +++ b/examples/validate/check_memory_requests_same_yaml_relative.yaml @@ -18,7 +18,7 @@ spec : pattern: spec: containers: - - ^(name): "*" + - (name): "*" resources: requests: memory: "$(<=./../../lim(its/mem)ory)" diff --git a/pkg/engine/validation.go b/pkg/engine/validation.go index 7ffa7a05c2..e52b3f3242 100644 --- a/pkg/engine/validation.go +++ b/pkg/engine/validation.go @@ -197,8 +197,13 @@ func validateMap(resourceMap, patternMap map[string]interface{}, origPattern int // - Existance handler := CreateElementHandler(key, patternElement, path) handlerPath, err := handler.Handle(resourceMap, origPattern) + // if there are resource values at same level, then anchor acts as conditional instead of a strict check + // but if there are non then its a if then check if err != nil { - return handlerPath, err + if len(resources) == 0 { + return handlerPath, err + } + return "", nil } } // Evaluate resources diff --git a/pkg/engine/validation_test.go b/pkg/engine/validation_test.go index d9f7014105..cc02abc5d1 100644 --- a/pkg/engine/validation_test.go +++ b/pkg/engine/validation_test.go @@ -2197,7 +2197,6 @@ func TestValidate_anchor_arraymap_fail(t *testing.T) { "spec": { "volumes": [ { - "name": "*", "(hostPath)": { "path": "!/var/lib" } diff --git a/test/scenarios/test/scenario_validate_default_namespace.yaml b/test/scenarios/test/scenario_validate_default_namespace.yaml index aec3c79221..ce195f9a5a 100644 --- a/test/scenarios/test/scenario_validate_default_namespace.yaml +++ b/test/scenarios/test/scenario_validate_default_namespace.yaml @@ -16,10 +16,10 @@ expected: rules: - name: check-default-namespace type: Validation - message: "Validation rule 'check-default-namespace' failed to validate patterns defined in anyPattern. A none 'default' namespace is required; anyPattern[0] failed at path /metadata/namespace/" + message: Validation rule 'check-default-namespace' failed at '/' for resource Pod/default/myapp-pod. A none 'default' namespace is required success: false - name: check-namespace-exist type: Validation - message: "Validation rule 'check-namespace-exist' anyPattern[0] succesfully validated" - success: true + message: Validation rule 'check-namespace-exist' failed at '/' for resource Pod/default/myapp-pod. A namespace is required + success: false diff --git a/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml index 81ffd13f24..f26b39b262 100644 --- a/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml +++ b/test/scenarios/test/scenario_validate_hostpid_hostipc.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-hostpid-hostipc type: Validation - message: Validation rule 'validate-hostpid-hostipc' failed to validate patterns defined in anyPattern. Disallow use of host's pid namespace and host's ipc namespace; anyPattern[0] failed at path /spec/hostIPC/ + message: Validation rule 'validate-hostpid-hostipc' failed at '/' for resource Pod//nginx-with-hostpid. Disallow use of host's pid namespace and host's ipc namespace success: false \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml b/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml index d523092818..c181be74d9 100644 --- a/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml +++ b/test/scenarios/test/scenario_validate_not_readonly_rootfilesystem.yaml @@ -14,5 +14,5 @@ expected: rules: - name: validate-not-readonly-rootfilesystem type: Validation - message: Validation rule 'validate-not-readonly-rootfilesystem' failed to validate patterns defined in anyPattern. Container should not have read-only rootfilesystem; anyPattern[0] failed at path /spec/container/ + message: Validation rule 'validate-not-readonly-rootfilesystem' failed at '/' for resource Pod//ghost-with-readonly-rootfilesystem. Container should not have read-only rootfilesystem success: false \ No newline at end of file