mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 10:28:36 +00:00
Update variable paths when auto generate the controller rules (#1914)
* Fix Dev setup * Update variable paths * fix testcase issue Co-authored-by: vyankatesh <vyankatesh@neualto.com>
This commit is contained in:
Vyankatesh Kudtarkar
GitHub
parent
a931f8f8f5
commit
8eb1d4c7fb
4 changed files with 59 additions and 3 deletions
|
|
@ -317,11 +317,12 @@ func updateGenRuleByte(pbyte []byte, kind string, genRule kyvernoRule) (obj []by
|
|||
return obj
|
||||
}
|
||||
if kind == "Pod" {
|
||||
return []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.template.spec", -1))
|
||||
obj = []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.template.spec", -1))
|
||||
}
|
||||
if kind == "Cronjob" {
|
||||
return []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.jobTemplate.spec.template.spec", -1))
|
||||
obj = []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.jobTemplate.spec.template.spec", -1))
|
||||
}
|
||||
obj = []byte(strings.Replace(string(obj), "request.object.metadata", "request.object.spec.template.metadata", -1))
|
||||
return obj
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -239,3 +239,30 @@ func Test_getControllers(t *testing.T) {
|
|||
assert.Equal(t, test.expectedControllers, controllers, fmt.Sprintf("test %s failed", test.name))
|
||||
}
|
||||
}
|
||||
|
||||
func Test_UpdateVariablePath(t *testing.T) {
|
||||
dir, err := os.Getwd()
|
||||
baseDir := filepath.Dir(filepath.Dir(dir))
|
||||
assert.NilError(t, err)
|
||||
file, err := ioutil.ReadFile(baseDir + "/test/best_practices/select-secrets.yaml")
|
||||
if err != nil {
|
||||
t.Log(err)
|
||||
}
|
||||
policies, err := utils.GetPolicy(file)
|
||||
if err != nil {
|
||||
t.Log(err)
|
||||
}
|
||||
|
||||
policy := policies[0]
|
||||
|
||||
rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log)
|
||||
if len(errs) != 0 {
|
||||
t.Log(errs)
|
||||
}
|
||||
expectedPatches := [][]byte{
|
||||
[]byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-select-secrets-from-volumes","match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"context":[{"name":"volsecret","apiCall":{"urlPath":"/api/v1/namespaces/{{request.object.spec.template.metadata.namespace}}/secrets/{{request.object.spec.template.spec.volumes[0].secret.secretName}}","jmesPath":"metadata.labels.foo"}}],"preconditions":[{"key":"{{ request.operation }}","operator":"Equals","value":"CREATE"}],"validate":{"message":"The Secret named {{request.object.spec.template.spec.volumes[0].secret.secretName}} is restricted and may not be used.","pattern":{"spec":{"template":{"spec":{"containers":[{"image":"registry.domain.com/*"}]}}}}}}}`),
|
||||
[]byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-select-secrets-from-volumes","match":{"resources":{"kinds":["CronJob"]}},"context":[{"name":"volsecret","apiCall":{"urlPath":"/api/v1/namespaces/{{request.object.spec.template.metadata.namespace}}/secrets/{{request.object.spec.jobTemplate.spec.template.spec.volumes[0].secret.secretName}}","jmesPath":"metadata.labels.foo"}}],"preconditions":[{"key":"{{ request.operation }}","operator":"Equals","value":"CREATE"}],"validate":{"message":"The Secret named {{request.object.spec.jobTemplate.spec.template.spec.volumes[0].secret.secretName}} is restricted and may not be used.","pattern":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"containers":[{"image":"registry.domain.com/*"}]}}}}}}}}}`),
|
||||
}
|
||||
|
||||
assert.DeepEqual(t, rulePatches, expectedPatches)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -81,7 +81,7 @@ func (ws *WebhookServer) HandleMutation(
|
|||
|
||||
err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetAPIVersion(), engineResponse.PatchedResource.GetKind())
|
||||
if err != nil {
|
||||
logger.V(4).Info("validation error", "policy", policy.Name, "error", err.Error())
|
||||
logger.Info("validation error", "policy", policy.Name, "error", err.Error())
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
28
test/best_practices/select-secrets.yaml
Normal file
28
test/best_practices/select-secrets.yaml
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: select-secrets
|
||||
spec:
|
||||
background: false
|
||||
validationFailureAction: enforce
|
||||
rules:
|
||||
- name: select-secrets-from-volumes
|
||||
match:
|
||||
resources:
|
||||
kinds:
|
||||
- Pod
|
||||
context:
|
||||
- name: volsecret
|
||||
apiCall:
|
||||
urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}"
|
||||
jmesPath: "metadata.labels.foo"
|
||||
preconditions:
|
||||
- key: "{{ request.operation }}"
|
||||
operator: Equals
|
||||
value: "CREATE"
|
||||
validate:
|
||||
message: "The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used."
|
||||
pattern:
|
||||
spec:
|
||||
containers:
|
||||
- image: "registry.domain.com/*"
|
||||
Loading…
Add table
Reference in a new issue