mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fixed policy validationa and patch strategic merge bug (#1136)
This commit is contained in:
parent
0814d9e799
commit
a1081c8f82
3 changed files with 32 additions and 5 deletions
|
@ -103,7 +103,7 @@ func walkMap(pattern, resource *yaml.RNode) error {
|
|||
if ind == -1 {
|
||||
continue
|
||||
}
|
||||
|
||||
|
||||
// remove anchor tags from value
|
||||
// A MappingNode contains keyNode and Value node
|
||||
// keyNode contains it's key value in it's Value field, So remove anchor tags from Value field
|
||||
|
@ -131,6 +131,17 @@ func walkMap(pattern, resource *yaml.RNode) error {
|
|||
return err
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// remove anchors from patterns where there is no specific key exists in resource.
|
||||
// Ex :-
|
||||
// pattern : {"annotations": {"+(add-annotation)":"true" }}
|
||||
// resource : No "annotations" key
|
||||
if hasAnchors(pattern) {
|
||||
err := preProcessPattern(patternMapNode.Value, resource)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
@ -484,7 +495,7 @@ func hasAnchors(pattern *yaml.RNode) bool {
|
|||
}
|
||||
for _, key := range fields {
|
||||
|
||||
if anchor.IsConditionAnchor(key) {
|
||||
if anchor.IsConditionAnchor(key) || anchor.IsAddingAnchor(key) {
|
||||
return true
|
||||
}
|
||||
patternMapNode := pattern.Field(key)
|
||||
|
|
|
@ -95,7 +95,6 @@ func Test_preProcessStrategicMergePatch_Deployment(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
func Test_preProcessStrategicMergePatch_Annotation(t *testing.T) {
|
||||
rawPolicy := []byte(`{"metadata":{"annotations":{"+(cluster-autoscaler.kubernetes.io/safe-to-evict)":true}},"spec":{"volumes":[{"(hostPath)":{"path":"*"}}]}}`)
|
||||
|
||||
|
@ -112,3 +111,20 @@ func Test_preProcessStrategicMergePatch_Annotation(t *testing.T) {
|
|||
t.FailNow()
|
||||
}
|
||||
}
|
||||
|
||||
func Test_preProcessStrategicMergePatch_BlankAnnotation(t *testing.T) {
|
||||
rawPolicy := []byte(`{"metadata":{"annotations":{"+(cluster-autoscaler.kubernetes.io/safe-to-evict)":true},"labels":{"+(add-labels)":"add"}},"spec":{"volumes":[{"(hostPath)":{"path":"*"}}]}}`)
|
||||
|
||||
rawResource := []byte(`{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx"},"spec":{"containers":[{"name":"nginx","image":"nginx:latest","imagePullPolicy":"Never","volumeMounts":[{"mountPath":"/cache","name":"cache-volume"}]}],"volumes":[{"name":"cache-volume","hostPath":{"path":"/data","type":"Directory"}}]}}`)
|
||||
|
||||
expected := `{"metadata":{"annotations":{"cluster-autoscaler.kubernetes.io/safe-to-evict":true},"labels":{"add-labels":"add"}},"spec":{"volumes":[{"name":"cache-volume"}]}}`
|
||||
|
||||
preProcessedPolicy, err := preProcessStrategicMergePatch(string(rawPolicy), string(rawResource))
|
||||
assert.NilError(t, err)
|
||||
output, err := preProcessedPolicy.String()
|
||||
assert.NilError(t, err)
|
||||
re := regexp.MustCompile("\\n")
|
||||
if !assertnew.Equal(t, strings.ReplaceAll(expected, " ", ""), strings.ReplaceAll(re.ReplaceAllString(output, ""), " ", "")) {
|
||||
t.FailNow()
|
||||
}
|
||||
}
|
||||
|
|
|
@ -70,8 +70,8 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro
|
|||
}
|
||||
for _, resList := range res {
|
||||
for _, r := range resList.APIResources {
|
||||
if r.Namespaced == false {
|
||||
if clusterResourcesMap[r.Kind] != nil {
|
||||
if !r.Namespaced {
|
||||
if _, ok := clusterResourcesMap[r.Kind]; !ok {
|
||||
clusterResourcesMap[r.Kind] = &Empty
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue