refactor: ValidationFailureActionOverrides validation (#3421)

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-04-08 18:15:48 +00:00 · 2022-03-21 09:53:12 +01:00 · 2022-03-21 09:53:12 +01:00 · bdcecf9882
commit bdcecf9882
parent e454c71aa6
7 changed files with 26 additions and 27 deletions
--- a/api/kyverno/v1/clusterpolicy_test.go
+++ b/api/kyverno/v1/clusterpolicy_test.go
@ -14,7 +14,7 @@ func Test_ClusterPolicy_Name(t *testing.T) {
 			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
 		},
 	}
-	errs := subject.Validate()
+	errs := subject.Validate(false)
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
--- a/api/kyverno/v1/clusterpolicy_types.go
+++ b/api/kyverno/v1/clusterpolicy_types.go
@ -85,11 +85,13 @@ func (p *ClusterPolicy) IsReady() bool {
 	return p.Status.IsReady()
 }

-// Validate implements programmatic validation
-func (p *ClusterPolicy) Validate() field.ErrorList {
+// Validate implements programmatic validation.
+// namespaced means that the policy is bound to a namespace and therefore
+// should not filter/generate cluster wide resources.
+func (p *ClusterPolicy) Validate(namespaced bool) field.ErrorList {
 	var errs field.ErrorList
 	errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), namespaced)...)
 	return errs
 }

--- a/api/kyverno/v1/policy_test.go
+++ b/api/kyverno/v1/policy_test.go
@ -14,7 +14,7 @@ func Test_Policy_Name(t *testing.T) {
 			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
 		},
 	}
-	errs := subject.Validate()
+	errs := subject.Validate(true)
 	assert.Assert(t, len(errs) == 1)
 	assert.Equal(t, errs[0].Field, "name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
--- a/api/kyverno/v1/policy_types.go
+++ b/api/kyverno/v1/policy_types.go
@ -86,11 +86,13 @@ func (p *Policy) IsReady() bool {
 	return p.Status.IsReady()
 }

-// Validate implements programmatic validation
-func (p *Policy) Validate() field.ErrorList {
+// Validate implements programmatic validation.
+// namespaced means that the policy is bound to a namespace and therefore
+// should not filter/generate cluster wide resources.
+func (p *Policy) Validate(namespaced bool) field.ErrorList {
 	var errs field.ErrorList
 	errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), namespaced)...)
 	return errs
 }

--- a/api/kyverno/v1/spec_test.go
+++ b/api/kyverno/v1/spec_test.go
@ -43,7 +43,7 @@ func Test_Validate_UniqueRuleName(t *testing.T) {
 		}},
 	}
 	path := field.NewPath("dummy")
-	errs := subject.Validate(path)
+	errs := subject.Validate(path, false)
 	assert.Equal(t, len(errs), 1)
 	assert.Equal(t, errs[0].Field, "dummy.rules[1].name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@ -145,8 +145,11 @@ func (s *Spec) ValidateRules(path *field.Path) field.ErrorList {
 }

 // Validate implements programmatic validation
-func (s *Spec) Validate(path *field.Path) field.ErrorList {
+func (s *Spec) Validate(path *field.Path, namespaced bool) field.ErrorList {
 	var errs field.ErrorList
 	errs = append(errs, s.ValidateRules(path.Child("rules"))...)
+	if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
+		errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))
+	}
 	return errs
 }
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -79,36 +79,28 @@ func validateJSONPatchPathForForwardSlash(patch string) error {

 // Validate checks the policy and rules declarations for required configurations
 func Validate(policy *kyverno.ClusterPolicy, client *dclient.Client, mock bool, openAPIController *openapi.Controller) (*v1beta1.AdmissionResponse, error) {
-	var errs field.ErrorList
-	namespaced := false
+	namespaced := policy.GetNamespace() != ""
 	background := policy.Spec.Background == nil || *policy.Spec.Background
+
+	var errs field.ErrorList
 	specPath := field.NewPath("spec")

-	clusterResources := make([]string, 0)
+	if errs := policy.Validate(namespaced); len(errs) != 0 {
+		return nil, errs.ToAggregate()
+	}
+
 	err := ValidateVariables(policy, background)
 	if err != nil {
 		return nil, err
 	}

-	if errs := policy.Validate(); len(errs) != 0 {
-		return nil, errs.ToAggregate()
-	}
-
-	if policy.GetNamespace() != "" {
-		namespaced = true
-	}
-
 	var res []*metav1.APIResourceList
-
+	clusterResources := make([]string, 0)
 	if !mock && namespaced {
 		var Empty struct{}
 		clusterResourcesMap := make(map[string]*struct{})
+
 		// Get all the cluster type kind supported by cluster
-
-		if len(policy.Spec.ValidationFailureActionOverrides) > 0 {
-			return nil, fmt.Errorf("invalid policy: use of ValidationFailureActionOverrides in a Namespace Policy")
-		}
-
 		res, err := client.DiscoveryClient.DiscoveryCache().ServerPreferredResources()
 		if err != nil {
 			return nil, err