mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: skip generating VAPs in case namespace's name contains wildcards (#10205)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-05-10 22:19:10 +08:00 committed by GitHub
parent 6fec52436a
commit 900bf48ecf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 105 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
View file

@ -104,6 +104,12 @@ func checkResources(resource kyvernov1.ResourceDescription) (bool, string) {
return false, msg
}
}
for _, ns := range resource.Namespaces {
if wildcard.ContainsWildcard(ns) {
msg = "skip generating ValidatingAdmissionPolicy: wildcards in namespace name is not applicable."
return false, msg
}
}
return true, msg
}

34
pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
View file

@ -32,6 +32,40 @@ func Test_Check_Resources(t *testing.T) {
`),
expected: true,
},
{
name: "namespaces-with-wildcards",
resource: []byte(`
{
"kinds": [
"Service"
],
"namespaces": [
"prod-*"
],
"operations": [
"CREATE"
]
}
`),
expected: false,
},
{
name: "resource-names-with-wildcards",
resource: []byte(`
{
"kinds": [
"Service"
],
"names": [
"svc-*"
],
"operations": [
"CREATE"
]
}
`),
expected: false,
},
{
name: "resource-with-annotations",
resource: []byte(`

19
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,19 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: cpol-any-match-resources-in-namespaces-with-wildcard
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- error:
file: validatingadmissionpolicy.yaml
- error:
file: validatingadmissionpolicybinding.yaml

12
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app-5
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
validatingadmissionpolicy:
generated: false

20
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app-5
spec:
validationFailureAction: Audit
rules:
- name: check-label-app
match:
any:
- resources:
kinds:
- Pod
namespaces:
- "prod-*"
- "staging"
validate:
cel:
expressions:
- expression: "'app' in object.metadata.labels"

7
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app-5
spec: {}

7
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app-5-binding
spec: {}