diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index e1f01bb6f6..c591423300 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -47,11 +47,6 @@ func (h validateCELHandler) Process( _ engineapi.EngineContextLoader, exceptions []*kyvernov2.PolicyException, ) (unstructured.Unstructured, []engineapi.RuleResponse) { - if engineutils.IsDeleteRequest(policyContext) { - logger.V(3).Info("skipping CEL validation on deleted resource") - return resource, nil - } - // check if there is a policy exception matches the incoming resource exception := engineutils.MatchesException(exceptions, policyContext, logger) if exception != nil { @@ -76,16 +71,12 @@ func (h validateCELHandler) Process( // get resource's name, namespace, GroupVersionResource, and GroupVersionKind gvr := schema.GroupVersionResource(policyContext.RequestResource()) - gvk := resource.GroupVersionKind() - namespaceName := resource.GetNamespace() - resourceName := resource.GetName() - resourceKind, _ := policyContext.ResourceKind() + gvk, _ := policyContext.ResourceKind() policyKind := policyContext.Policy().GetKind() policyName := policyContext.Policy().GetName() - object := resource.DeepCopyObject() - // in case of update request, set the oldObject to the current resource before it gets updated - var oldObject runtime.Object + // in case of UPDATE requests, set the oldObject to the current resource before it gets updated + var object, oldObject runtime.Object oldResource := policyContext.OldResource() if oldResource.Object == nil { oldObject = nil @@ -93,6 +84,18 @@ func (h validateCELHandler) Process( oldObject = oldResource.DeepCopyObject() } + var ns, name string + // in case of DELETE request, get the name and the namespace from the old object + if resource.Object == nil { + ns = oldResource.GetNamespace() + name = oldResource.GetName() + object = nil + } else { + ns = resource.GetNamespace() + name = resource.GetName() + object = resource.DeepCopyObject() + } + // check if the rule uses parameter resources hasParam := rule.Validation.CEL.HasParam() // extract preconditions written as CEL expressions @@ -129,11 +132,11 @@ func (h validateCELHandler) Process( // Special case, the namespace object has the namespace of itself. // unset it if the incoming object is a namespace if gvk.Kind == "Namespace" && gvk.Version == "v1" && gvk.Group == "" { - namespaceName = "" + ns = "" } - if namespaceName != "" { + if ns != "" { if h.client != nil { - namespace, err = h.client.GetNamespace(ctx, namespaceName, metav1.GetOptions{}) + namespace, err = h.client.GetNamespace(ctx, ns, metav1.GetOptions{}) if err != nil { return resource, handlers.WithResponses( engineapi.RuleError(rule.Name, engineapi.Validation, "Error getting the resource's namespace", err), @@ -142,7 +145,7 @@ func (h validateCELHandler) Process( } else { namespace = &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ - Name: namespaceName, + Name: ns, }, } } @@ -150,16 +153,20 @@ func (h validateCELHandler) Process( requestInfo := policyContext.AdmissionInfo() userInfo := internal.NewUser(requestInfo.AdmissionUserInfo.Username, requestInfo.AdmissionUserInfo.UID, requestInfo.AdmissionUserInfo.Groups) - admissionAttributes := admission.NewAttributesRecord(object, oldObject, gvk, namespaceName, resourceName, gvr, "", admission.Operation(policyContext.Operation()), nil, false, &userInfo) - versionedAttr, _ := admission.NewVersionedAttributes(admissionAttributes, admissionAttributes.GetKind(), nil) - authorizer := internal.NewAuthorizer(h.client, resourceKind) + attr := admission.NewAttributesRecord(object, oldObject, gvk, ns, name, gvr, "", admission.Operation(policyContext.Operation()), nil, false, &userInfo) + o := admission.NewObjectInterfacesFromScheme(runtime.NewScheme()) + versionedAttr, err := admission.NewVersionedAttributes(attr, attr.GetKind(), o) + if err != nil { + return resource, handlers.WithError(rule, engineapi.Validation, "error while creating versioned attributes", err) + } + authorizer := internal.NewAuthorizer(h.client, gvk) // validate the incoming object against the rule var validationResults []validating.ValidateResult if hasParam { paramKind := rule.Validation.CEL.ParamKind paramRef := rule.Validation.CEL.ParamRef - params, err := collectParams(ctx, h.client, paramKind, paramRef, namespaceName) + params, err := collectParams(ctx, h.client, paramKind, paramRef, ns) if err != nil { return resource, handlers.WithResponses( engineapi.RuleError(rule.Name, engineapi.Validation, "error in parameterized resource", err), diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml index f0764c84b8..6e67025bea 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure(deprecated)/policy.yaml @@ -14,6 +14,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: message: "hostPort must either be unset or set to 0" cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml index 65f57e6bd0..8c71277459 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/cel-messages-upon-resource-failure/policy.yaml @@ -13,6 +13,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce message: "hostPort must either be unset or set to 0" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml index 6afcf2b5bc..eb08d34a9b 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/with-permissions/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml index 662dc2ea9e..27e569cf3e 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/authorizor-checks/without-permissions/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml index fe4ebfdb42..e0f665f3c6 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-preconditions/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE celPreconditions: - name: "first match condition in CEL" expression: "object.metadata.name.matches('nginx-pod')" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml index e1274adcdf..99e8bbf198 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/cel-variables/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: cel: variables: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml index 259b0b8008..532a7c5adf 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/check-statefulset-namespace/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - StatefulSet + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml index bfefda93de..3d96b277e8 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/disallow-host-port/policy.yaml @@ -14,6 +14,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: cel: expressions: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml index ca5716d203..3b37f76105 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/clusterscoped/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: cel: paramKind: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml index e926bcc125..c18925c108 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: cel: paramKind: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml index ab29121404..deab5d0eb9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: cel: paramKind: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml index 8f0ed08d44..eba6725116 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel(deprecated)/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -12,6 +12,9 @@ spec: - resources: kinds: - StatefulSet + operations: + - CREATE + - UPDATE validate: cel: paramKind: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml index 66f0c9e98d..63d5eaee6a 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/with-permissions/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml index 974805b88a..63bd49605d 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/authorizor-checks/without-permissions/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml index 6077f42fff..988e9ff54c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-preconditions/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE celPreconditions: - name: "first match condition in CEL" expression: "object.metadata.name.matches('nginx-pod')" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml index 9570aeb63d..3948acf86c 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/cel-variables/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml index 35f274b711..953ace56a6 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/check-statefulset-namespace/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - StatefulSet + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/README.md new file mode 100644 index 0000000000..73f701bf9f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/README.md @@ -0,0 +1,11 @@ +## Description + +This test creates a policy that uses CEL expressions to deny the creation/deletion/update of any pod. + +## Expected Behavior + +Any pod creation/deletion/update is blocked. + +## Reference Issue(s) + +10576 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/chainsaw-test.yaml new file mode 100755 index 0000000000..eb59f9fa42 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/chainsaw-test.yaml @@ -0,0 +1,32 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: deny +spec: + steps: + - name: step-01 + try: + - script: + content: kubectl run nginx --image=nginx + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-03 + try: + - script: + content: "if kubectl run --image=busybox foo\nthen \n exit 1\nelse \n exit + 0\nfi\n" + - name: step-04 + try: + - script: + content: "if kubectl label pod nginx app=nginx\nthen \n exit 1\nelse \n exit + 0\nfi\n" + - name: step-05 + try: + - script: + content: "if kubectl delete pod nginx\nthen \n exit 1\nelse \n exit + 0\nfi\n" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy-assert.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy-assert.yaml new file mode 100644 index 0000000000..ea680d38cb --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-operations-on-pod +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml new file mode 100644 index 0000000000..6f0075b777 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/deny/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-operations-on-pod +spec: + validationFailureAction: Enforce + background: true + rules: + - name: rule-1 + match: + any: + - resources: + kinds: + - Pod + validate: + cel: + expressions: + - expression: "false" + message: Create, update and delete on pods is not allowed diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml index 6fdda0a983..e693b76821 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-fail.yaml @@ -1,10 +1,11 @@ apiVersion: v1 kind: Pod metadata: - name: webserver + name: webserver-2 spec: containers: - name: webserver image: nginx:latest ports: - hostPort: 80 + containerPort: 80 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml index 5c766069f2..10d8d0b766 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/pod-pass.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: webserver + name: webserver-1 spec: containers: - name: webserver diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml index 71ec477511..3478a63887 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/disallow-host-port/policy.yaml @@ -13,6 +13,9 @@ spec: - resources: kinds: - Pod + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml index ed00dbbc6a..9e0cf79fde 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/clusterscoped/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml index 990c1c7cb0..f75bde91a3 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/match-clusterscoped-resource/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Namespace + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml index 74a7638ef3..995e40fcc9 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/set-paramref-namespace/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - Deployment + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml index 7a772f313e..471044a1ae 100644 --- a/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/cel/parameter-resources/namespaced/unset-paramref-namespace/policy.yaml @@ -11,6 +11,9 @@ spec: - resources: kinds: - StatefulSet + operations: + - CREATE + - UPDATE validate: validationFailureAction: Enforce cel: