diff --git a/pkg/engine/handlers/validation/validate_assert.go b/pkg/engine/handlers/validation/validate_assert.go index 50d518028c..b9c4619ab6 100644 --- a/pkg/engine/handlers/validation/validate_assert.go +++ b/pkg/engine/handlers/validation/validate_assert.go @@ -120,7 +120,7 @@ func (h validateAssertHandler) Process( } // process the old object for UPDATE admission requests in case of enforce policies - if action == kyvernov1.Enforce { + if action.Enforce() { allowExisitingViolations := rule.HasValidateAllowExistingViolations() if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations { errs, err := validateOldObject(ctx, policyContext, rule, payload, bindings) diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index 39507d7efe..7caab62175 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -141,7 +141,7 @@ func (h validatePssHandler) validate( } // process the old object for UPDATE admission requests in case of enforce policies - if action == kyvernov1.Enforce { + if action.Enforce() { allowExisitingViolations := rule.HasValidateAllowExistingViolations() if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations { priorResp, err := h.validateOldObject(ctx, logger, policyContext, resource, rule, engineLoader, exceptions) diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index 037ad53b4a..8da0c55659 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -154,7 +154,7 @@ func (v *validator) validate(ctx context.Context) *engineapi.RuleResponse { } // process the old object for UPDATE admission requests in case of enforce policies - if action == kyvernov1.Enforce { + if action.Enforce() { allowExisitingViolations := v.rule.HasValidateAllowExistingViolations() if engineutils.IsUpdateRequest(v.policyContext) && allowExisitingViolations && v.nesting == 0 { // is update request and is the root level validate priorResp, err := v.validateOldObject(ctx) diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/README.md b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/README.md new file mode 100644 index 0000000000..b80a445992 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-ready.yaml new file mode 100644 index 0000000000..6237f13b13 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-update-test.sh new file mode 100755 index 0000000000..0b014f2f51 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod.yaml new file mode 100644 index 0000000000..74872026de --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/chainsaw-test.yaml new file mode 100755 index 0000000000..f994f350bc --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/chainsaw-test.yaml @@ -0,0 +1,47 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: create policy + use: + template: ../../../../../_step-templates/create-policy.yaml + with: + bindings: + - name: file + value: policy.yaml + - name: wait policy ready + use: + template: ../../../../../_step-templates/cluster-policy-ready.yaml + with: + bindings: + - name: name + value: check-labels-validate-existing + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-ready.yaml new file mode 100644 index 0000000000..09cd254f50 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-update-test.sh new file mode 100755 index 0000000000..611bd8ee9d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod.yaml new file mode 100644 index 0000000000..917664364d --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/policy.yaml new file mode 100644 index 0000000000..9f43234e79 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-validate-existing +spec: + background: true + validationFailureAction: enforce + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + pattern: + metadata: + labels: + =(foo): "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/update-bad-pod-to-comply.sh new file mode 100755 index 0000000000..27437a10d6 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/standard/enforce/enforce-validate-existing-deprecated/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod-validate-existing foo=bar --overwrite +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi