From a1081c8f82cc0ea17411fcf6e6e8a1839e09ac65 Mon Sep 17 00:00:00 2001 From: Mohan B E <54951236+b-entangled@users.noreply.github.com> Date: Sat, 19 Sep 2020 00:48:13 +0530 Subject: [PATCH] fixed policy validationa and patch strategic merge bug (#1136) --- pkg/engine/mutate/strategicPreprocessing.go | 15 +++++++++++++-- .../mutate/strategicPreprocessing_test.go | 18 +++++++++++++++++- pkg/policy/validate.go | 4 ++-- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/pkg/engine/mutate/strategicPreprocessing.go b/pkg/engine/mutate/strategicPreprocessing.go index e2ae6a9b45..69e02cc5cf 100644 --- a/pkg/engine/mutate/strategicPreprocessing.go +++ b/pkg/engine/mutate/strategicPreprocessing.go @@ -103,7 +103,7 @@ func walkMap(pattern, resource *yaml.RNode) error { if ind == -1 { continue } - + // remove anchor tags from value // A MappingNode contains keyNode and Value node // keyNode contains it's key value in it's Value field, So remove anchor tags from Value field @@ -131,6 +131,17 @@ func walkMap(pattern, resource *yaml.RNode) error { return err } } + } else { + // remove anchors from patterns where there is no specific key exists in resource. + // Ex :- + // pattern : {"annotations": {"+(add-annotation)":"true" }} + // resource : No "annotations" key + if hasAnchors(pattern) { + err := preProcessPattern(patternMapNode.Value, resource) + if err != nil { + return err + } + } } } return nil @@ -484,7 +495,7 @@ func hasAnchors(pattern *yaml.RNode) bool { } for _, key := range fields { - if anchor.IsConditionAnchor(key) { + if anchor.IsConditionAnchor(key) || anchor.IsAddingAnchor(key) { return true } patternMapNode := pattern.Field(key) diff --git a/pkg/engine/mutate/strategicPreprocessing_test.go b/pkg/engine/mutate/strategicPreprocessing_test.go index 93ea79100f..a210524e0d 100644 --- a/pkg/engine/mutate/strategicPreprocessing_test.go +++ b/pkg/engine/mutate/strategicPreprocessing_test.go @@ -95,7 +95,6 @@ func Test_preProcessStrategicMergePatch_Deployment(t *testing.T) { } } - func Test_preProcessStrategicMergePatch_Annotation(t *testing.T) { rawPolicy := []byte(`{"metadata":{"annotations":{"+(cluster-autoscaler.kubernetes.io/safe-to-evict)":true}},"spec":{"volumes":[{"(hostPath)":{"path":"*"}}]}}`) @@ -112,3 +111,20 @@ func Test_preProcessStrategicMergePatch_Annotation(t *testing.T) { t.FailNow() } } + +func Test_preProcessStrategicMergePatch_BlankAnnotation(t *testing.T) { + rawPolicy := []byte(`{"metadata":{"annotations":{"+(cluster-autoscaler.kubernetes.io/safe-to-evict)":true},"labels":{"+(add-labels)":"add"}},"spec":{"volumes":[{"(hostPath)":{"path":"*"}}]}}`) + + rawResource := []byte(`{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx"},"spec":{"containers":[{"name":"nginx","image":"nginx:latest","imagePullPolicy":"Never","volumeMounts":[{"mountPath":"/cache","name":"cache-volume"}]}],"volumes":[{"name":"cache-volume","hostPath":{"path":"/data","type":"Directory"}}]}}`) + + expected := `{"metadata":{"annotations":{"cluster-autoscaler.kubernetes.io/safe-to-evict":true},"labels":{"add-labels":"add"}},"spec":{"volumes":[{"name":"cache-volume"}]}}` + + preProcessedPolicy, err := preProcessStrategicMergePatch(string(rawPolicy), string(rawResource)) + assert.NilError(t, err) + output, err := preProcessedPolicy.String() + assert.NilError(t, err) + re := regexp.MustCompile("\\n") + if !assertnew.Equal(t, strings.ReplaceAll(expected, " ", ""), strings.ReplaceAll(re.ReplaceAllString(output, ""), " ", "")) { + t.FailNow() + } +} diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go index 136ca94705..d45a32fce1 100644 --- a/pkg/policy/validate.go +++ b/pkg/policy/validate.go @@ -70,8 +70,8 @@ func Validate(policyRaw []byte, client *dclient.Client, mock bool, openAPIContro } for _, resList := range res { for _, r := range resList.APIResources { - if r.Namespaced == false { - if clusterResourcesMap[r.Kind] != nil { + if !r.Namespaced { + if _, ok := clusterResourcesMap[r.Kind]; !ok { clusterResourcesMap[r.Kind] = &Empty } }