From 8eb1d4c7fbee71f0712283c357209ec1836555bd Mon Sep 17 00:00:00 2001 From: Vyankatesh Kudtarkar Date: Tue, 8 Jun 2021 02:05:53 +0530 Subject: [PATCH] Update variable paths when auto generate the controller rules (#1914) * Fix Dev setup * Update variable paths * fix testcase issue Co-authored-by: vyankatesh --- pkg/policymutation/policymutation.go | 5 ++-- pkg/policymutation/policymutation_test.go | 27 ++++++++++++++++++++++ pkg/webhooks/mutation.go | 2 +- test/best_practices/select-secrets.yaml | 28 +++++++++++++++++++++++ 4 files changed, 59 insertions(+), 3 deletions(-) create mode 100644 test/best_practices/select-secrets.yaml diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index 97092b3314..bb962a2b68 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -317,11 +317,12 @@ func updateGenRuleByte(pbyte []byte, kind string, genRule kyvernoRule) (obj []by return obj } if kind == "Pod" { - return []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.template.spec", -1)) + obj = []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.template.spec", -1)) } if kind == "Cronjob" { - return []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.jobTemplate.spec.template.spec", -1)) + obj = []byte(strings.Replace(string(pbyte), "request.object.spec", "request.object.spec.jobTemplate.spec.template.spec", -1)) } + obj = []byte(strings.Replace(string(obj), "request.object.metadata", "request.object.spec.template.metadata", -1)) return obj } diff --git a/pkg/policymutation/policymutation_test.go b/pkg/policymutation/policymutation_test.go index 9e1e6fd7b5..671a38a8c7 100644 --- a/pkg/policymutation/policymutation_test.go +++ b/pkg/policymutation/policymutation_test.go @@ -239,3 +239,30 @@ func Test_getControllers(t *testing.T) { assert.Equal(t, test.expectedControllers, controllers, fmt.Sprintf("test %s failed", test.name)) } } + +func Test_UpdateVariablePath(t *testing.T) { + dir, err := os.Getwd() + baseDir := filepath.Dir(filepath.Dir(dir)) + assert.NilError(t, err) + file, err := ioutil.ReadFile(baseDir + "/test/best_practices/select-secrets.yaml") + if err != nil { + t.Log(err) + } + policies, err := utils.GetPolicy(file) + if err != nil { + t.Log(err) + } + + policy := policies[0] + + rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log) + if len(errs) != 0 { + t.Log(errs) + } + expectedPatches := [][]byte{ + []byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-select-secrets-from-volumes","match":{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}},"context":[{"name":"volsecret","apiCall":{"urlPath":"/api/v1/namespaces/{{request.object.spec.template.metadata.namespace}}/secrets/{{request.object.spec.template.spec.volumes[0].secret.secretName}}","jmesPath":"metadata.labels.foo"}}],"preconditions":[{"key":"{{ request.operation }}","operator":"Equals","value":"CREATE"}],"validate":{"message":"The Secret named {{request.object.spec.template.spec.volumes[0].secret.secretName}} is restricted and may not be used.","pattern":{"spec":{"template":{"spec":{"containers":[{"image":"registry.domain.com/*"}]}}}}}}}`), + []byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-select-secrets-from-volumes","match":{"resources":{"kinds":["CronJob"]}},"context":[{"name":"volsecret","apiCall":{"urlPath":"/api/v1/namespaces/{{request.object.spec.template.metadata.namespace}}/secrets/{{request.object.spec.jobTemplate.spec.template.spec.volumes[0].secret.secretName}}","jmesPath":"metadata.labels.foo"}}],"preconditions":[{"key":"{{ request.operation }}","operator":"Equals","value":"CREATE"}],"validate":{"message":"The Secret named {{request.object.spec.jobTemplate.spec.template.spec.volumes[0].secret.secretName}} is restricted and may not be used.","pattern":{"spec":{"jobTemplate":{"spec":{"template":{"spec":{"containers":[{"image":"registry.domain.com/*"}]}}}}}}}}}`), + } + + assert.DeepEqual(t, rulePatches, expectedPatches) +} diff --git a/pkg/webhooks/mutation.go b/pkg/webhooks/mutation.go index c665300cac..9ad194ad82 100644 --- a/pkg/webhooks/mutation.go +++ b/pkg/webhooks/mutation.go @@ -81,7 +81,7 @@ func (ws *WebhookServer) HandleMutation( err := ws.openAPIController.ValidateResource(*engineResponse.PatchedResource.DeepCopy(), engineResponse.PatchedResource.GetAPIVersion(), engineResponse.PatchedResource.GetKind()) if err != nil { - logger.V(4).Info("validation error", "policy", policy.Name, "error", err.Error()) + logger.Info("validation error", "policy", policy.Name, "error", err.Error()) continue } diff --git a/test/best_practices/select-secrets.yaml b/test/best_practices/select-secrets.yaml new file mode 100644 index 0000000000..46de36bbe9 --- /dev/null +++ b/test/best_practices/select-secrets.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: select-secrets +spec: + background: false + validationFailureAction: enforce + rules: + - name: select-secrets-from-volumes + match: + resources: + kinds: + - Pod + context: + - name: volsecret + apiCall: + urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{request.object.spec.volumes[0].secret.secretName}}" + jmesPath: "metadata.labels.foo" + preconditions: + - key: "{{ request.operation }}" + operator: Equals + value: "CREATE" + validate: + message: "The Secret named {{request.object.spec.volumes[0].secret.secretName}} is restricted and may not be used." + pattern: + spec: + containers: + - image: "registry.domain.com/*" \ No newline at end of file