feat: enable operator boolean comparison (#7847)

* feat: enable operator boolean comparison

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* Test: add kuttl test

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>

pkg/engine/variables/operator/allin.go

@@ -29,7 +29,7 @@ func (allin AllInHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return allin.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return allin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

pkg/engine/variables/operator/allnotin.go

@@ -26,7 +26,7 @@ func (allnin AllNotInHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return allnin.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return allnin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

pkg/engine/variables/operator/anyin.go

@@ -31,7 +31,7 @@ func (anyin AnyInHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return anyin.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return anyin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

pkg/engine/variables/operator/anynotin.go

@@ -26,7 +26,7 @@ func (anynin AnyNotInHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return anynin.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return anynin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

pkg/engine/variables/operator/in.go

@@ -30,7 +30,7 @@ func (in InHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return in.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return in.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

pkg/engine/variables/operator/notin.go

@@ -28,7 +28,7 @@ func (nin NotInHandler) Evaluate(key, value interface{}) bool {
 	switch typedKey := key.(type) {
 	case string:
 		return nin.validateValueWithStringPattern(typedKey, value)
-	case int, int32, int64, float32, float64:
+	case int, int32, int64, float32, float64, bool:
 		return nin.validateValueWithStringPattern(fmt.Sprint(typedKey), value)
 	case []interface{}:
 		var stringSlice []string

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: operator-anyin-boolean-cpol
+  # annotations:
+  #   pod-policies.kyverno.io/autogen-controllers: none
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+    - name: check-commands
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      preconditions:
+        all:
+        - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}"
+          operator: GreaterThan
+          value: 0
+        - key: "{{ request.operation }}"
+          operator: NotEquals
+          value: DELETE
+      validate:
+        message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes.
+        deny:
+          conditions:
+            any:
+            - key: true
+              operator: AnyIn
+              value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}"

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v2beta1
+kind: ClusterPolicy
+metadata:
+  name: operator-anyin-boolean-cpol
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml

@@ -0,0 +1,5 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+apply:
+  - file: pod.yaml
+    shouldFail: true

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md

@@ -0,0 +1,12 @@
+## Description
+
+This test mainly verifies that the operator AllIn work properly with the boolean comparison.
+
+## Expected Behavior
+
+1. The clusterpolicy is created correctly.
+2. Failed to create resources in because the deny condition is true.
+
+## Reference Issue(s)
+
+https://github.com/kyverno/kyverno/issues/7045

test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: operator-anyin-boolean-pod
+spec:
+  containers:
+  - name: container01
+    image: czjunkfoo
+    livenessProbe:
+      exec:
+        command:
+        - /bin/sh
+        - -c
+        - jcmd | grep Main
+  - name: container02
+    image: czjunkfoo
+  - name: container03
+    image: czjunkfoo
+    livenessProbe:
+      httpGet:
+        port: 8080
+  - name: container04
+    image: czjunkfoo
+    livenessProbe:
+      exec:
+        command:
+        - /bin/sh
+        - -c
+        - cat | ls -l