fix: add CONNECT operation in the webhook config for pod/exec subresource (#9855)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>

pkg/controllers/webhook/utils.go

@@ -52,7 +52,7 @@ func newWebhook(timeout int32, failurePolicy admissionregistrationv1.FailurePoli
 
 func findKeyContainingSubstring(m map[string][]admissionregistrationv1.OperationType, substring string, defaultOpn []admissionregistrationv1.OperationType) []admissionregistrationv1.OperationType {
 	for key, value := range m {
-		if strings.Contains(strings.ToLower(key), strings.ToLower(substring)) || strings.Contains(strings.ToLower(substring), strings.ToLower(key)) {
+		if key == "Pod/exec" || strings.Contains(strings.ToLower(key), strings.ToLower(substring)) || strings.Contains(strings.ToLower(substring), strings.ToLower(key)) {
 			return value
 		}
 	}

test/conformance/chainsaw/webhooks/pod-exec-subresource/README.md

@@ -0,0 +1,13 @@
+## Description
+
+This test verifies the resource mutation webhook is configured correctly when a policy targets the `Pod/exec` subresource.
+
+## Steps
+
+1.  - Create a policy targeting `Pod/exec`
+    - Assert policy gets ready
+1.  - Assert that the resource mutation webhook is configured correctly
+
+## Reference Issue(s)
+
+#9829

test/conformance/chainsaw/webhooks/pod-exec-subresource/chainsaw-test.yaml

@@ -0,0 +1,17 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: pod-exec-subresource
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - assert:
+        file: webhooks.yaml

test/conformance/chainsaw/webhooks/pod-exec-subresource/policy-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: std-shell
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml

@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: std-shell
+spec:
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod/exec
+          operations:
+          - CONNECT
+    mutate:
+      patchesJson6902: |-
+        - op: replace
+          path: "/command/0"
+          value: "bash" 
+    name: std-shell-replace
+  validationFailureAction: Audit

test/conformance/chainsaw/webhooks/pod-exec-subresource/webhooks.yaml

@@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  labels:
+    webhook.kyverno.io/managed-by: kyverno
+  name: kyverno-resource-mutating-webhook-cfg
+webhooks:
+- rules:
+  - apiGroups:
+    - ""
+    apiVersions:
+    - v1
+    operations:
+    - CONNECT
+    resources:
+    - pods/exec
+    scope: 'Namespaced'