From acf3729354ccda9ed67b4758ce30d96a83bbb704 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 20 Jul 2023 00:54:33 +0800 Subject: [PATCH] feat: enable operator boolean comparison (#7847) * feat: enable operator boolean comparison Signed-off-by: ShutingZhao * Test: add kuttl test Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/engine/variables/operator/allin.go | 2 +- pkg/engine/variables/operator/allnotin.go | 2 +- pkg/engine/variables/operator/anyin.go | 2 +- pkg/engine/variables/operator/anynotin.go | 2 +- pkg/engine/variables/operator/in.go | 2 +- pkg/engine/variables/operator/notin.go | 2 +- .../operator-anyin-boolean/01-policy.yaml | 32 +++++++++++++++++++ .../operator-anyin-boolean/02-assert.yaml | 9 ++++++ .../operator-anyin-boolean/03-pod-fail.yaml | 5 +++ .../enforce/operator-anyin-boolean/README.md | 12 +++++++ .../enforce/operator-anyin-boolean/pod.yaml | 29 +++++++++++++++++ 11 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml diff --git a/pkg/engine/variables/operator/allin.go b/pkg/engine/variables/operator/allin.go index b45f26b54b..7ecb7c877b 100644 --- a/pkg/engine/variables/operator/allin.go +++ b/pkg/engine/variables/operator/allin.go @@ -29,7 +29,7 @@ func (allin AllInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return allin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return allin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/allnotin.go b/pkg/engine/variables/operator/allnotin.go index acbd971b43..c149ac3791 100644 --- a/pkg/engine/variables/operator/allnotin.go +++ b/pkg/engine/variables/operator/allnotin.go @@ -26,7 +26,7 @@ func (allnin AllNotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return allnin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return allnin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/anyin.go b/pkg/engine/variables/operator/anyin.go index ba32794fbf..87777b65f9 100644 --- a/pkg/engine/variables/operator/anyin.go +++ b/pkg/engine/variables/operator/anyin.go @@ -31,7 +31,7 @@ func (anyin AnyInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return anyin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return anyin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/anynotin.go b/pkg/engine/variables/operator/anynotin.go index 56e9f04994..7988c43dd5 100644 --- a/pkg/engine/variables/operator/anynotin.go +++ b/pkg/engine/variables/operator/anynotin.go @@ -26,7 +26,7 @@ func (anynin AnyNotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return anynin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return anynin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/in.go b/pkg/engine/variables/operator/in.go index 12993c2011..0873193846 100644 --- a/pkg/engine/variables/operator/in.go +++ b/pkg/engine/variables/operator/in.go @@ -30,7 +30,7 @@ func (in InHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return in.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return in.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/notin.go b/pkg/engine/variables/operator/notin.go index 0549b9ae29..bf52ef4572 100644 --- a/pkg/engine/variables/operator/notin.go +++ b/pkg/engine/variables/operator/notin.go @@ -28,7 +28,7 @@ func (nin NotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return nin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return nin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml new file mode 100644 index 0000000000..6bf3852832 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol + # annotations: + # pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-commands + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}" + operator: GreaterThan + value: 0 + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. + deny: + conditions: + any: + - key: true + operator: AnyIn + value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml new file mode 100644 index 0000000000..7e920d3527 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml new file mode 100644 index 0000000000..e0222cdb89 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: pod.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md new file mode 100644 index 0000000000..a18f638bb5 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the operator AllIn work properly with the boolean comparison. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in because the deny condition is true. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7045 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml new file mode 100644 index 0000000000..ee459edcfd --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator-anyin-boolean-pod +spec: + containers: + - name: container01 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - jcmd | grep Main + - name: container02 + image: czjunkfoo + - name: container03 + image: czjunkfoo + livenessProbe: + httpGet: + port: 8080 + - name: container04 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - cat | ls -l \ No newline at end of file