Relax rule context validation to follow JMESPath grammar (#3129)

Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2025-03-29 10:55:05 +00:00 · 2022-01-31 18:23:59 +00:00 · 2022-01-31 18:23:59 +00:00 · 98284114f5
commit 98284114f5
parent 7a55d26d89
4 changed files with 47 additions and 2 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -1111,9 +1111,12 @@ func validateRuleContext(rule kyverno.Rule) error {
 	}

 	ruleBytes, _ := json.Marshal(rule)
-	ruleString := strings.ReplaceAll(string(ruleBytes), " ", "")
 	for _, contextName := range contextNames {
-		if !strings.Contains(ruleString, fmt.Sprintf("{{"+contextName)) && !strings.Contains(ruleString, fmt.Sprintf("{{\\\""+contextName)) {
+		contextRegex, err := regexp.Compile(fmt.Sprintf(`{{.*\b%s\b.*}}`, contextName))
+		if err != nil {
+			return fmt.Errorf("unable to validate context variable `%s`, %w", contextName, err)
+		}
+		if !contextRegex.Match(ruleBytes) {
 			return fmt.Errorf("context variable `%s` is not used in the policy", contextName)
 		}
 	}
--- a/test/cli/test/variables/cm-multiple-example.yaml
+++ b/test/cli/test/variables/cm-multiple-example.yaml
@ -0,0 +1,25 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cm-multiple-example
+spec:
+  rules:
+  - name: example-configmap-lookup
+    context:
+    - name: dictionary
+      configMap:
+        name: some-config-map
+        namespace: some-namespace
+    - name: anotherdictionary
+      configMap:
+        name: another-config-map
+        namespace: some-namespace
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      pattern:
+        metadata:
+          labels:
+            my-environment-name: "{{dictionary.data.env || anotherdictionary.data.env }}"
--- a/test/cli/test/variables/kyverno-test.yaml
+++ b/test/cli/test/variables/kyverno-test.yaml
@ -1,6 +1,7 @@
 name: test-variables
 policies:
  - cm-variable-example.yaml
+  - cm-multiple-example.yaml
  - cm-array-example.yaml
  - cm-blk-scalar-example.yaml
  - cm-globalval-example.yaml
@ -9,6 +10,16 @@ resources:
  - resources.yaml
 variables: variables.yaml
 results:
+  - policy: cm-multiple-example
+    rule: example-configmap-lookup
+    resource: test-env-test
+    kind: Pod
+    result: pass
+  - policy: cm-multiple-example
+    rule: example-configmap-lookup
+    resource: test-env-dev
+    kind: Pod
+    result: fail
  - policy: cm-variable-example
    rule: example-configmap-lookup
    resource: test-env-test
--- a/test/cli/test/variables/variables.yaml
+++ b/test/cli/test/variables/variables.yaml
@ -1,4 +1,10 @@
 policies:
+  - name: cm-multiple-example
+    rules:
+      - name: example-configmap-lookup
+        values:
+          dictionary.data.env: ''
+          anotherdictionary.data.env: test
  - name: cm-variable-example
    rules:
      - name: example-configmap-lookup