fixed dryrun option to handle changes caused by mutating policy (#4899)

* fixed dryrun option to handle changes caused by mutating policy Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a check to avoid using kyverno namespace for dryrun Signed-off-by: Riko Kudo <rurikudo@ibm.com> * add a check to avoid using kyverno namespace for dryrun Signed-off-by: Riko Kudo <rurikudo@ibm.com> Signed-off-by: Riko Kudo <rurikudo@ibm.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2022-11-17 17:17:45 +09:00 · 2022-11-17 17:17:45 +09:00 · 8acb8c3e38
commit 8acb8c3e38
parent c0f479add9
3 changed files with 36 additions and 3 deletions
--- a/config/dryrun/dryrun_config.yaml
+++ b/config/dryrun/dryrun_config.yaml
@ -1,3 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: kyverno
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/part-of: kyverno
+    app.kubernetes.io/version: latest
+  name: kyverno-dryrun
+---
 # Additional permission is required to enable DryRun.
 # If using DryRun to validate yaml, please deploy this Role/RoleBinding.
 # If validating custom resources with DryRun, please add the resources to the role.
@ -5,7 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: manifest-verify-dry-run
-  namespace: kyverno
+  namespace: kyverno-dryrun
 rules:
 - apiGroups:
  - rbac.authorization.k8s.io
@ -64,7 +76,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: manifest-verify-dry-run
-  namespace: kyverno
+  namespace: kyverno-dryrun
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@ -73,12 +73,18 @@ var (
 	kyvernoConfigMapName = osutils.GetEnvWithFallback("INIT_CONFIG", "kyverno")
 	// defaultExcludeGroupRole ...
 	defaultExcludeGroupRole []string = []string{"system:serviceaccounts:kube-system", "system:nodes", "system:kube-scheduler"}
+	// kyvernoDryRunNamespace is the namespace for DryRun option of YAML verification
+	kyvernoDryrunNamespace = osutils.GetEnvWithFallback("KYVERNO_DRYRUN_NAMESPACE", "kyverno-dryrun")
 )

 func KyvernoNamespace() string {
 	return kyvernoNamespace
 }

+func KyvernoDryRunNamespace() string {
+	return kyvernoDryrunNamespace
+}
+
 func KyvernoServiceAccountName() string {
 	return kyvernoServiceAccountName
 }
--- a/pkg/engine/k8smanifest.go
+++ b/pkg/engine/k8smanifest.go
@ -101,7 +101,7 @@ func verifyManifest(policyContext *PolicyContext, verifyRule kyvernov1.Manifests
 	if verifyRule.DryRunOption.Namespace != "" {
 		vo.DryRunNamespace = verifyRule.DryRunOption.Namespace
 	} else {
-		vo.DryRunNamespace = config.KyvernoNamespace()
+		vo.DryRunNamespace = config.KyvernoDryRunNamespace()
 	}
 	if !vo.DisableDryRun {
 		// check if kyverno can 'create' dryrun resource
@ -114,6 +114,12 @@ func verifyManifest(policyContext *PolicyContext, verifyRule kyvernov1.Manifests
 			logger.V(1).Info("kyverno does not have permissions to 'create' resource. disabled DryRun option.", "dryrun namespace", vo.DryRunNamespace, "kind", adreq.Kind.Kind)
 			vo.DisableDryRun = true
 		}
+		// check if kyverno namespace is not used for dryrun
+		ok = checkDryRunNamespace(vo.DryRunNamespace)
+		if !ok {
+			logger.V(1).Info("an inappropriate dryrun namespace is set; set a namespace other than kyverno.", "dryrun namespace", vo.DryRunNamespace)
+			vo.DisableDryRun = true
+		}
 	}

 	// can be overridden per Attestor
@ -399,3 +405,12 @@ func checkDryRunPermission(dclient dclient.Interface, kind, namespace string) (b
 	}
 	return ok, nil
 }
+
+func checkDryRunNamespace(namespace string) bool {
+	// should not use kyverno namespace for dryrun
+	if namespace != config.KyvernoNamespace() {
+		return true
+	} else {
+		return false
+	}
+}