diff --git a/pkg/controllers/webhook/utils.go b/pkg/controllers/webhook/utils.go index da7a6e2731..9258aa2163 100644 --- a/pkg/controllers/webhook/utils.go +++ b/pkg/controllers/webhook/utils.go @@ -52,7 +52,7 @@ func newWebhook(timeout int32, failurePolicy admissionregistrationv1.FailurePoli func findKeyContainingSubstring(m map[string][]admissionregistrationv1.OperationType, substring string, defaultOpn []admissionregistrationv1.OperationType) []admissionregistrationv1.OperationType { for key, value := range m { - if strings.Contains(strings.ToLower(key), strings.ToLower(substring)) || strings.Contains(strings.ToLower(substring), strings.ToLower(key)) { + if key == "Pod/exec" || strings.Contains(strings.ToLower(key), strings.ToLower(substring)) || strings.Contains(strings.ToLower(substring), strings.ToLower(key)) { return value } } diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/README.md b/test/conformance/chainsaw/webhooks/pod-exec-subresource/README.md new file mode 100644 index 0000000000..d49ecbe769 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/README.md @@ -0,0 +1,13 @@ +## Description + +This test verifies the resource mutation webhook is configured correctly when a policy targets the `Pod/exec` subresource. + +## Steps + +1. - Create a policy targeting `Pod/exec` + - Assert policy gets ready +1. - Assert that the resource mutation webhook is configured correctly + +## Reference Issue(s) + +#9829 diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/chainsaw-test.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/chainsaw-test.yaml new file mode 100755 index 0000000000..fc49f7fa7a --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/chainsaw-test.yaml @@ -0,0 +1,17 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: pod-exec-subresource +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - assert: + file: webhooks.yaml diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy-assert.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy-assert.yaml new file mode 100644 index 0000000000..39d6e7678e --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: std-shell +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml new file mode 100644 index 0000000000..80b7e1bfce --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: std-shell +spec: + background: false + rules: + - match: + any: + - resources: + kinds: + - Pod/exec + operations: + - CONNECT + mutate: + patchesJson6902: |- + - op: replace + path: "/command/0" + value: "bash" + name: std-shell-replace + validationFailureAction: Audit diff --git a/test/conformance/chainsaw/webhooks/pod-exec-subresource/webhooks.yaml b/test/conformance/chainsaw/webhooks/pod-exec-subresource/webhooks.yaml new file mode 100644 index 0000000000..af794b4037 --- /dev/null +++ b/test/conformance/chainsaw/webhooks/pod-exec-subresource/webhooks.yaml @@ -0,0 +1,17 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: + webhook.kyverno.io/managed-by: kyverno + name: kyverno-resource-mutating-webhook-cfg +webhooks: +- rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CONNECT + resources: + - pods/exec + scope: 'Namespaced'