mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Fix precondition logic for mutating policies (#2271)

Browse source 
* Add test for mutation with precondition

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>

* Fix mistake which prevented correct variable substitution

Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
This commit is contained in:
Bricktop 2021-08-17 23:43:21 +02:00 committed by GitHub
parent ba00ead7f8
commit a93240c436
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 86 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/engine/mutation.go
View file

@ -101,7 +101,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
} }
// operate on the copy of the conditions, as we perform variable substitution // operate on the copy of the conditions, as we perform variable substitution
copyConditions, err := transformConditions(rule.AnyAllConditions) copyConditions, err := transformConditions(ruleCopy.AnyAllConditions)
if err != nil { if err != nil {
logger.V(2).Info("failed to load context", "reason", err.Error()) logger.V(2).Info("failed to load context", "reason", err.Error())
continue continue

85
pkg/engine/mutation_test.go
View file

@ -302,3 +302,88 @@ func Test_chained_rules(t *testing.T) {
assert.Equal(t, string(er.PolicyResponse.Rules[0].Patches[0]), `{"op":"replace","path":"/spec/containers/0/image","value":"myregistry.corp.com/foo/bash:5.0"}`) assert.Equal(t, string(er.PolicyResponse.Rules[0].Patches[0]), `{"op":"replace","path":"/spec/containers/0/image","value":"myregistry.corp.com/foo/bash:5.0"}`)
assert.Equal(t, string(er.PolicyResponse.Rules[1].Patches[0]), `{"op":"replace","path":"/spec/containers/0/image","value":"otherregistry.corp.com/foo/bash:5.0"}`) assert.Equal(t, string(er.PolicyResponse.Rules[1].Patches[0]), `{"op":"replace","path":"/spec/containers/0/image","value":"otherregistry.corp.com/foo/bash:5.0"}`)
} }
func Test_precondition(t *testing.T) {
resourceRaw := []byte(`{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nginx-config-test",
"labels": {
"app.kubernetes.io/managed-by": "Helm"
}
},
"spec": {
"containers": [
{
"image": "nginx:latest",
"name": "test-nginx"
}
]
}
}`)
policyraw := []byte(`{
"apiVersion": "kyverno.io/v1",
"kind": "ClusterPolicy",
"metadata": {
"name": "cm-variable-example"
},
"spec": {
"rules": [
{
"name": "example-configmap-lookup",
"match": {
"resources": {
"kinds": [
"Pod"
]
}
},
"preconditions": [
{
"key": "{{ request.object.metadata.labels.\"app.kubernetes.io/managed-by\"}}",
"operator": "Equals",
"value": "Helm"
}
],
"mutate": {
"patchStrategicMerge": {
"metadata": {
"labels": {
"my-added-label": "test"
}
}
}
}
}
]
}
}`)
expectedPatch := []byte(`{"op":"add","path":"/metadata/labels/my-added-label","value":"test"}`)
store.SetMock(true)
var policy kyverno.ClusterPolicy
err := json.Unmarshal(policyraw, &policy)
assert.NilError(t, err)
resourceUnstructured, err := utils.ConvertToUnstructured(resourceRaw)
assert.NilError(t, err)
ctx := context.NewContext()
err = ctx.AddResource(resourceRaw)
assert.NilError(t, err)
policyContext := &PolicyContext{
Policy: policy,
JSONContext: ctx,
NewResource: *resourceUnstructured,
}
er := Mutate(policyContext)
t.Log(string(expectedPatch))
t.Log(string(er.PolicyResponse.Rules[0].Patches[0]))
if !reflect.DeepEqual(expectedPatch, er.PolicyResponse.Rules[0].Patches[0]) {
t.Error("patches don't match")
}
}