mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 07:26:55 +00:00
Code Activity

fix: kyverno test wrongly finds 'patchedResource mismatch' due to wrong order in array (#8362)

Browse source 
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-09-12 19:57:23 +02:00 committed by GitHub
parent 0688c9b369
commit 954415a311
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 575 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
test/cli/test-mutate/bug-demo/kyverno-test.yaml Normal file
View file

@ -0,0 +1,13 @@
name: bug-demo
policies:
- ./policy.yaml
resources:
- ./resource.yaml
results:
- policy: bug-demo
rule: mutate1
resources:
- pod1
kind: Pod
patchedResource: patched-resource-pattern.yaml
result: pass

289
test/cli/test-mutate/bug-demo/patched-resource-pattern.yaml Normal file
View file

@ -0,0 +1,289 @@
apiVersion: v1
kind: Pod
metadata:
name: pod1
namespace: default
spec:
containers:
- image: dummy
name: main-1
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
runAsUser: 1
- image: dummy
name: main-2
securityContext:
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: false
runAsNonRoot: false
- image: dummy
name: main-3
securityContext:
capabilities:
drop:
- ALL
privileged: false
runAsNonRoot: true
- image: dummy
name: main-4
securityContext:
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
privileged: false
runAsNonRoot: false
runAsUser: 0
- image: dummy
name: main-5
securityContext:
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
privileged: false
- image: dummy
name: main-6
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: false
runAsUser: 0
- image: dummy
name: main-7
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: false
runAsNonRoot: true
runAsUser: 0
- image: dummy
name: main-8
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: false
runAsNonRoot: false
runAsUser: 1
- image: dummy
name: main-9
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: false
runAsUser: 1
- image: dummy
name: main-10
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
runAsNonRoot: false
runAsUser: 0
- image: dummy
name: main-11
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
- image: dummy
name: main-12
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
runAsNonRoot: true
runAsUser: 0
- image: dummy
name: main-13
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
runAsNonRoot: false
runAsUser: 1
- image: dummy
name: main-14
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
runAsUser: 1
- image: dummy
name: main-15
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
runAsNonRoot: false
- image: dummy
name: main-16
securityContext:
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
runAsUser: 0
- image: dummy
name: main-17
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
- image: dummy
name: main-18
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
runAsNonRoot: true
runAsUser: 1
- image: dummy
name: main-19
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsNonRoot: true
runAsUser: 1
- image: dummy
name: main-20
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
privileged: true
runAsUser: 0
- image: dummy
name: main-21
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
privileged: true
- image: dummy
name: main-22
securityContext:
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsNonRoot: true
runAsUser: 0
- image: dummy
name: main-23
securityContext:
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsNonRoot: false
runAsUser: 1
- image: dummy
name: main-24
securityContext:
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsUser: 1
- image: dummy
name: main-25
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsNonRoot: false
runAsUser: 0
- image: dummy
name: main-26
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- FOO
drop:
- SYS_ADMIN
privileged: true
runAsNonRoot: false
- image: dummy
name: main-27
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_ADMIN
- FOO
drop: []
privileged: true
runAsNonRoot: true

84
test/cli/test-mutate/bug-demo/policy.yaml Normal file
View file

@ -0,0 +1,84 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: bug-demo
annotations:
pod-policies.kyverno.io/autogen-controllers: "none"
spec:
background: false
validationFailureAction: enforce
rules:
- name: mutate1
match:
all:
- resources:
kinds:
- v1/Pod
mutate:
foreach:
- list: |-
request.object.spec.containers || `[]`
context:
- name: container_path
variable:
value: "/spec/containers/{{ elementIndex }}"
patchesJson6902: |-
{{
[
contains(['main-1','main-3','main-11'], element.name)
&&
[
{
op: 'remove',
path: join('/', [container_path, 'securityContext/capabilities/add'])
}
,
{
op: 'add',
path: join('/', [container_path, 'securityContext/capabilities/drop'])
value: ['ALL']
}
]
|| `[]`
,
contains(['main-2','main-6','main-7','main-8','main-9','main-10','main-16','main-17','main-19','main-22','main-23','main-24','main-25','main-26'], element.name)
&&
[
{
op: 'add',
path: join('/', [container_path, 'securityContext/capabilities/add'])
value: ['FOO']
}
,
{
op: 'add',
path: join('/', [container_path, 'securityContext/capabilities', 'drop'])
value: ['SYS_ADMIN']
}
]
|| `[]`
,
contains(['main-4','main-5','main-12','main-13','main-14','main-15','main-18','main-20','main-21','main-27'], element.name)
&&
[
{
op: 'add',
path: join('/', [container_path, 'securityContext/capabilities/add'])
value: ['SYS_ADMIN', 'FOO']
}
,
{
op: 'add',
path: join('/', [container_path, 'securityContext/capabilities/drop'])
value: `[]`
}
]
|| `[]`
][]
|
to_string(@)
}}

189
test/cli/test-mutate/bug-demo/resource.yaml Normal file
View file

@ -0,0 +1,189 @@
apiVersion: v1
kind: Pod
metadata:
name: pod1
spec:
containers:
- name: main-1
image: dummy
securityContext:
privileged: false
runAsUser: 1
runAsNonRoot: true
- name: main-2
image: dummy
securityContext:
privileged: false
runAsNonRoot: false
- name: main-3
image: dummy
securityContext:
privileged: false
runAsNonRoot: true
- name: main-4
image: dummy
securityContext:
privileged: false
runAsUser: 0
runAsNonRoot: false
capabilities:
add:
- SYS_ADMIN
- name: main-5
image: dummy
securityContext:
privileged: false
capabilities:
add:
- SYS_ADMIN
- name: main-6
image: dummy
securityContext:
privileged: false
allowPrivilegeEscalation: true
runAsUser: 0
- name: main-7
image: dummy
securityContext:
privileged: false
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: true
- name: main-8
image: dummy
securityContext:
privileged: false
allowPrivilegeEscalation: true
runAsUser: 1
runAsNonRoot: false
- name: main-9
image: dummy
securityContext:
privileged: false
allowPrivilegeEscalation: true
runAsUser: 1
- name: main-10
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
runAsNonRoot: false
- name: main-11
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
- name: main-12
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsUser: 0
runAsNonRoot: true
capabilities:
add:
- SYS_ADMIN
- name: main-13
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1
runAsNonRoot: false
capabilities:
add:
- SYS_ADMIN
- name: main-14
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1
capabilities:
add:
- SYS_ADMIN
- name: main-15
image: dummy
securityContext:
allowPrivilegeEscalation: false
runAsNonRoot: false
capabilities:
add:
- SYS_ADMIN
- name: main-16
image: dummy
securityContext:
runAsUser: 0
- name: main-17
image: dummy
securityContext:
allowPrivilegeEscalation: true
- name: main-18
image: dummy
securityContext:
allowPrivilegeEscalation: true
runAsUser: 1
runAsNonRoot: true
capabilities:
add:
- SYS_ADMIN
- name: main-19
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: false
runAsUser: 1
runAsNonRoot: true
- name: main-20
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: false
runAsUser: 0
capabilities:
add:
- SYS_ADMIN
- name: main-21
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: false
capabilities:
add:
- SYS_ADMIN
- name: main-22
image: dummy
securityContext:
privileged: true
runAsUser: 0
runAsNonRoot: true
- name: main-23
image: dummy
securityContext:
privileged: true
runAsUser: 1
runAsNonRoot: false
- name: main-24
image: dummy
securityContext:
privileged: true
runAsUser: 1
- name: main-25
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: true
runAsUser: 0
runAsNonRoot: false
- name: main-26
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: true
runAsNonRoot: false
- name: main-27
image: dummy
securityContext:
privileged: true
allowPrivilegeEscalation: true
runAsNonRoot: true
capabilities:
add:
- SYS_ADMIN