mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-04-08 10:04:25 +00:00
Code Activity

fix tests

Browse source 
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
This commit is contained in:
Jim Bugwadia 2021-10-26 14:24:24 -07:00
parent a9b96ff882
commit 84c7d9d2a0
1 changed files with 7 additions and 4 deletions

11
pkg/kyverno/common/common.go
View file

@ -238,8 +238,11 @@ func objectHasVariables(object interface{}) error {
func PolicyHasNonAllowedVariables(policy v1.ClusterPolicy) error {
for _, r := range policy.Spec.Rules {
rule := r.DeepCopy()
rule.Context = nil
rule.VerifyImages = nil
// do not validate attestation variables as they are based on external data
for _, vi := range rule.VerifyImages {
vi.Attestations = nil
}
var err error
ruleJSON, err := json.Marshal(rule)
@ -254,8 +257,8 @@ func PolicyHasNonAllowedVariables(policy v1.ClusterPolicy) error {
matchesAll := RegexVariables.FindAllStringSubmatch(string(ruleJSON), -1)
matchesAllowed := AllowedVariables.FindAllStringSubmatch(string(ruleJSON), -1)
if len(matchesAll) > len(matchesAllowed) && len(rule.Context) == 0 {
allowed := "{{request.*}}, {{serviceAccountName}}, {{serviceAccountNamespace}}, {{@}}, and context variables"
if (len(matchesAll) > len(matchesAllowed)) && len(rule.Context) == 0 {
allowed := "{{request.*}}, {{element.*}}, {{serviceAccountName}}, {{serviceAccountNamespace}}, {{@}}, and context variables"
return fmt.Errorf("rule \"%s\" has forbidden variables. Allowed variables are: %s", rule.Name, allowed)
}
}