mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix: match failure action case insensitively for validating old object (#11486)

Browse source 
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-11-06 21:40:56 +05:30 committed by GitHub
parent 7c6f0e7d59
commit b35aaab898
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 147 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/engine/handlers/validation/validate_assert.go
View file

@ -120,7 +120,7 @@ func (h validateAssertHandler) Process(
}
// process the old object for UPDATE admission requests in case of enforce policies
if action == kyvernov1.Enforce {
if action.Enforce() {
allowExisitingViolations := rule.HasValidateAllowExistingViolations()
if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations {
errs, err := validateOldObject(ctx, policyContext, rule, payload, bindings)

2
pkg/engine/handlers/validation/validate_pss.go
View file

@ -141,7 +141,7 @@ func (h validatePssHandler) validate(
}
// process the old object for UPDATE admission requests in case of enforce policies
if action == kyvernov1.Enforce {
if action.Enforce() {
allowExisitingViolations := rule.HasValidateAllowExistingViolations()
if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations {
priorResp, err := h.validateOldObject(ctx, logger, policyContext, resource, rule, engineLoader, exceptions)

2
pkg/engine/handlers/validation/validate_resource.go
View file

@ -154,7 +154,7 @@ func (v *validator) validate(ctx context.Context) *engineapi.RuleResponse {
}
// process the old object for UPDATE admission requests in case of enforce policies
if action == kyvernov1.Enforce {
if action.Enforce() {
allowExisitingViolations := v.rule.HasValidateAllowExistingViolations()
if engineutils.IsUpdateRequest(v.policyContext) && allowExisitingViolations && v.nesting == 0 { // is update request and is the root level validate
priorResp, err := v.validateOldObject(ctx)

15
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/README.md Normal file
View file

@ -0,0 +1,15 @@
## Description
This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created
## Expected Behavior
1. A pod is created that violates the policy.
2. The policy is applied.
3. A pod is created that follows the policy.
4. Violating changes on bad pad does not cause error.
5. Violating changes in good pod causes error.
6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes.
## Reference Issue(s)
8837

5
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-ready.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod-validate-existing
namespace: default

8
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-update-test.sh Executable file
View file

@ -0,0 +1,8 @@
if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels"
then
echo "Test failed, updating violating preexisting resource should not throw error"
exit 1
else
echo "Test succeed, updating violating preexisting resource does not throw error"
exit 0
fi

14
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: badpod-validate-existing
namespace: default
labels:
foo: bad
spec:
containers:
- name: container01
image: busybox:1.35
args:
- sleep
- 1d

47
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,47 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: enforce-validate-existing
spec:
steps:
- name: step-01
try:
- apply:
file: bad-pod.yaml
- assert:
file: bad-pod-ready.yaml
- name: create policy
use:
template: ../../../../../_step-templates/create-policy.yaml
with:
bindings:
- name: file
value: policy.yaml
- name: wait policy ready
use:
template: ../../../../../_step-templates/cluster-policy-ready.yaml
with:
bindings:
- name: name
value: check-labels-validate-existing
- name: step-03
try:
- apply:
file: good-pod.yaml
- assert:
file: good-pod-ready.yaml
- name: step-04
try:
- script:
content: ./bad-pod-update-test.sh
timeout: 30s
- name: step-05
try:
- script:
content: ./good-pod-update-test.sh
timeout: 30s
- name: step-06
try:
- script:
content: ./update-bad-pod-to-comply.sh
timeout: 30s

5
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-ready.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: Pod
metadata:
name: goodpod-validate-existing
namespace: default

8
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-update-test.sh Executable file
View file

@ -0,0 +1,8 @@
if kubectl label po goodpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels"
then
echo "Test succeed, updating violating resource throws error"
exit 0
else
echo "Test failed, updating violating resource did not throw error"
exit 1
fi

14
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: goodpod-validate-existing
namespace: default
labels:
foo: bar
spec:
containers:
- name: container01
image: busybox:1.35
args:
- sleep
- 1d

19
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/policy.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-labels-validate-existing
spec:
background: true
validationFailureAction: enforce
rules:
- name: check-labels
match:
any:
- resources:
kinds:
- Pod
validate:
pattern:
metadata:
labels:
=(foo): "bar"

9
test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/update-bad-pod-to-comply.sh Executable file
View file

@ -0,0 +1,9 @@
kubectl label po badpod-validate-existing foo=bar --overwrite
if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels"
then
echo "Test succeed, updating violating resource throws error"
exit 0
else
echo "Test failed, updating violating resource did not throw error"
exit 1
fi