fixed dryrun option to handle changes caused by mutating policy (#4899)

* fixed dryrun option to handle changes caused by mutating policy

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a check to avoid using kyverno namespace for dryrun

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

* add a check to avoid using kyverno namespace for dryrun

Signed-off-by: Riko Kudo <rurikudo@ibm.com>

Signed-off-by: Riko Kudo <rurikudo@ibm.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>

config/dryrun/dryrun_config.yaml

@@ -1,3 +1,15 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    app: kyverno
+    app.kubernetes.io/component: kyverno
+    app.kubernetes.io/instance: kyverno
+    app.kubernetes.io/name: kyverno
+    app.kubernetes.io/part-of: kyverno
+    app.kubernetes.io/version: latest
+  name: kyverno-dryrun
+---
 # Additional permission is required to enable DryRun.
 # If using DryRun to validate yaml, please deploy this Role/RoleBinding.
 # If validating custom resources with DryRun, please add the resources to the role.
@@ -5,7 +17,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: manifest-verify-dry-run
-  namespace: kyverno
+  namespace: kyverno-dryrun
 rules:
 - apiGroups:
   - rbac.authorization.k8s.io
@@ -64,7 +76,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: manifest-verify-dry-run
-  namespace: kyverno
+  namespace: kyverno-dryrun
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

pkg/config/config.go

@@ -73,12 +73,18 @@ var (
 	kyvernoConfigMapName = osutils.GetEnvWithFallback("INIT_CONFIG", "kyverno")
 	// defaultExcludeGroupRole ...
 	defaultExcludeGroupRole []string = []string{"system:serviceaccounts:kube-system", "system:nodes", "system:kube-scheduler"}
+	// kyvernoDryRunNamespace is the namespace for DryRun option of YAML verification
+	kyvernoDryrunNamespace = osutils.GetEnvWithFallback("KYVERNO_DRYRUN_NAMESPACE", "kyverno-dryrun")
 )
 
 func KyvernoNamespace() string {
 	return kyvernoNamespace
 }
 
+func KyvernoDryRunNamespace() string {
+	return kyvernoDryrunNamespace
+}
+
 func KyvernoServiceAccountName() string {
 	return kyvernoServiceAccountName
 }

pkg/engine/k8smanifest.go

@@ -101,7 +101,7 @@ func verifyManifest(policyContext *PolicyContext, verifyRule kyvernov1.Manifests
 	if verifyRule.DryRunOption.Namespace != "" {
 		vo.DryRunNamespace = verifyRule.DryRunOption.Namespace
 	} else {
-		vo.DryRunNamespace = config.KyvernoNamespace()
+		vo.DryRunNamespace = config.KyvernoDryRunNamespace()
 	}
 	if !vo.DisableDryRun {
 		// check if kyverno can 'create' dryrun resource
@@ -114,6 +114,12 @@ func verifyManifest(policyContext *PolicyContext, verifyRule kyvernov1.Manifests
 			logger.V(1).Info("kyverno does not have permissions to 'create' resource. disabled DryRun option.", "dryrun namespace", vo.DryRunNamespace, "kind", adreq.Kind.Kind)
 			vo.DisableDryRun = true
 		}
+		// check if kyverno namespace is not used for dryrun
+		ok = checkDryRunNamespace(vo.DryRunNamespace)
+		if !ok {
+			logger.V(1).Info("an inappropriate dryrun namespace is set; set a namespace other than kyverno.", "dryrun namespace", vo.DryRunNamespace)
+			vo.DisableDryRun = true
+		}
 	}
 
 	// can be overridden per Attestor
@@ -399,3 +405,12 @@ func checkDryRunPermission(dclient dclient.Interface, kind, namespace string) (b
 	}
 	return ok, nil
 }
+
+func checkDryRunNamespace(namespace string) bool {
+	// should not use kyverno namespace for dryrun
+	if namespace != config.KyvernoNamespace() {
+		return true
+	} else {
+		return false
+	}
+}