fix: add validation for generate namespace policy (#5346)

* fix: add validation for generate namespace policy - generate of cluster scope resource not allowed - Only allowed to generate resource in policy namespace Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * add unit tests to validate the behaviour Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> * fix error logs Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Signed-off-by: prateekpandey14 <prateek.pandey@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2022-11-17 13:13:51 +05:30 · 2022-11-17 13:13:51 +05:30 · c0f479add9
commit c0f479add9
parent 1b4da0e632
2 changed files with 193 additions and 6 deletions
--- a/pkg/policy/validate.go
+++ b/pkg/policy/validate.go
@ -153,7 +153,7 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 	clusterResources := sets.NewString()
 	if !mock && namespaced {
 		// Get all the cluster type kind supported by cluster
-		res, err := discovery.ServerPreferredResources(client.Discovery().DiscoveryInterface())
+		res, err = discovery.ServerPreferredResources(client.Discovery().DiscoveryInterface())
 		if err != nil {
 			if discovery.IsGroupDiscoveryFailedError(err) {
 				err := err.(*discovery.ErrGroupDiscoveryFailed)
@ -236,11 +236,10 @@ func Validate(policy kyvernov1.PolicyInterface, client dclient.Interface, mock b
 				return warnings, validateMatchKindHelper(rule)
 			}
 		}
-
 		// validate Cluster Resources in namespaced policy
 		// For namespaced policy, ClusterResource type field and values are not allowed in match and exclude
 		if namespaced {
-			return warnings, checkClusterResourceInMatchAndExclude(rule, clusterResources, mock, res)
+			return warnings, checkClusterResourceInMatchAndExclude(rule, clusterResources, policy.GetNamespace(), mock, res)
 		}

 		// validate rule actions
@ -1090,7 +1089,7 @@ func validateMatchedResourceDescription(rd kyvernov1.ResourceDescription) (strin

 // checkClusterResourceInMatchAndExclude returns false if namespaced ClusterPolicy contains cluster wide resources in
 // Match and Exclude block
-func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources sets.String, mock bool, res []*metav1.APIResourceList) error {
+func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources sets.String, policyNamespace string, mock bool, res []*metav1.APIResourceList) error {
 	if !mock {
 		// Check for generate policy
 		// - if resource to be generated is namespaced resource then the namespace field
@ -1099,18 +1098,41 @@ func checkClusterResourceInMatchAndExclude(rule kyvernov1.Rule, clusterResources
 		// should not be mentioned
 		if rule.HasGenerate() {
 			generateResourceKind := rule.Generation.Kind
-			generateResourceAPIVersion := rule.Generation.APIVersion
 			for _, resList := range res {
 				for _, r := range resList.APIResources {
-					if r.Kind == generateResourceKind && (len(generateResourceAPIVersion) == 0 || r.Version == generateResourceAPIVersion) {
+					if r.Kind == generateResourceKind {
 						if r.Namespaced {
 							if rule.Generation.Namespace == "" {
 								return fmt.Errorf("path: spec.rules[%v]: please mention the namespace to generate a namespaced resource", rule.Name)
 							}
+							if rule.Generation.Namespace != policyNamespace {
+								return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace)
+							}
+							if rule.Generation.Clone.Namespace != policyNamespace {
+								return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resource in other namespace, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Clone.Namespace)
+							}
 						} else {
 							if rule.Generation.Namespace != "" {
 								return fmt.Errorf("path: spec.rules[%v]: do not mention the namespace to generate a non namespaced resource", rule.Name)
 							}
+							if policyNamespace != "" {
+								return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate cluster-wide resources", rule.Name)
+							}
+						}
+					} else if len(rule.Generation.CloneList.Kinds) != 0 {
+						for _, kind := range rule.Generation.CloneList.Kinds {
+							_, splitkind := kubeutils.GetKindFromGVK(kind)
+							if r.Kind == splitkind {
+								if r.Namespaced {
+									if rule.Generation.CloneList.Namespace != policyNamespace {
+										return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot clone resource in other namespace, expected: %v, received: %v", rule.Name, policyNamespace, rule.Generation.Namespace)
+									}
+								} else {
+									if policyNamespace != "" {
+										return fmt.Errorf("path: spec.rules[%v]: a namespaced policy cannot generate cluster-wide resources", rule.Name)
+									}
+								}
+							}
 						}
 					}
 				}
--- a/pkg/policy/validate_test.go
+++ b/pkg/policy/validate_test.go
@ -12,6 +12,8 @@ import (
 	"gotest.tools/assert"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )

@ -1130,6 +1132,136 @@ func Test_Namespced_Policy(t *testing.T) {
 	assert.Assert(t, err != nil)
 }

+func Test_Namespaced_Generate_Policy(t *testing.T) {
+	testcases := []struct {
+		description     string
+		rule            []byte
+		policyNamespace string
+		expectedError   error
+	}{
+		{
+			description: "Only generate resource where the policy exists",
+			rule: []byte(`
+			{"name": "gen-zk",
+                "generate": {
+                    "synchronize": false,
+                    "apiVersion": "v1",
+                    "kind": "ConfigMap",
+                    "name": "zk",
+                    "namespace": "default",
+                    "data": {
+                        "kind": "ConfigMap",
+                        "metadata": {
+                            "labels": {
+                                "somekey": "somevalue"
+                            }
+                        },
+                        "data": {
+                            "ZK_ADDRESS": "192.168.10.10:2181",
+                            "KAFKA_ADDRESS": "192.168.10.13:9092"
+                        }
+                    }
+                }
+					}`),
+			policyNamespace: "poltest",
+			expectedError:   errors.New("path: spec.rules[gen-zk]: a namespaced policy cannot generate resources in other namespaces, expected: poltest, received: default"),
+		},
+		{
+			description: "Not allowed to clone resource outside the policy namespace",
+			rule: []byte(`
+        {
+            "name": "sync-image-pull-secret",
+            "generate": {
+                "apiVersion": "v1",
+                "kind": "Secret",
+                "name": "secret-basic-auth-gen",
+                "namespace": "poltest",
+                "synchronize": true,
+                "clone": {
+                    "namespace": "default",
+                    "name": "secret-basic-auth"
+                }
+            }
+        }`),
+			policyNamespace: "poltest",
+			expectedError:   errors.New("path: spec.rules[sync-image-pull-secret]: a namespaced policy cannot clone resource in other namespace, expected: poltest, received: default"),
+		},
+		{
+			description: "Do not mention the namespace to generate cluster scoped resource",
+			rule: []byte(`
+        {
+            "name": "sync-clone",
+            "generate": {
+                "apiVersion": "storage.k8s.io/v1",
+                "kind": "StorageClass",
+                "name": "local-class",
+                "namespace": "poltest",
+                "synchronize": true,
+                "clone": {
+                    "name": "pv-class"
+                }
+            }
+        }`),
+			policyNamespace: "poltest",
+			expectedError:   errors.New("path: spec.rules[sync-clone]: do not mention the namespace to generate a non namespaced resource"),
+		},
+		{
+			description: "Not allowed to clone cluster scoped resource",
+			rule: []byte(`
+        {
+            "name": "sync-clone",
+            "generate": {
+                "apiVersion": "storage.k8s.io/v1",
+                "kind": "StorageClass",
+                "name": "local-class",
+                "synchronize": true,
+                "clone": {
+                    "name": "pv-class"
+                }
+            }
+        }`),
+			policyNamespace: "poltest",
+			expectedError:   errors.New("path: spec.rules[sync-clone]: a namespaced policy cannot generate cluster-wide resources"),
+		},
+		{
+			description: "Not allowed to multi clone cluster scoped resource",
+			rule: []byte(`
+    {
+        "name": "sync-multi-clone",
+        "generate": {
+            "namespace": "staging",
+            "synchronize": true,
+            "cloneList": {
+                "namespace": "staging",
+                "kinds": [
+                    "storage.k8s.io/v1/StorageClass"
+                ],
+                "selector": {
+                    "matchLabels": {
+                        "allowedToBeCloned": "true"
+                    }
+                }
+            }
+        }
+    }`),
+			policyNamespace: "staging",
+			expectedError:   errors.New("path: spec.rules[sync-multi-clone]: a namespaced policy cannot generate cluster-wide resources"),
+		},
+	}
+	for _, tc := range testcases {
+		t.Run(tc.description, func(t *testing.T) {
+			var rule kyverno.Rule
+			_ = json.Unmarshal(tc.rule, &rule)
+			err := checkClusterResourceInMatchAndExclude(rule, sets.NewString(), tc.policyNamespace, false, testResourceList())
+			if tc.expectedError != nil {
+				assert.Error(t, err, tc.expectedError.Error())
+			} else {
+				assert.NilError(t, err)
+			}
+		})
+	}
+}
+
 func Test_patchesJson6902_Policy(t *testing.T) {
 	rawPolicy := []byte(`
 	{
@ -2057,3 +2189,36 @@ func Test_ValidateNamespace(t *testing.T) {
 		})
 	}
 }
+
+func testResourceList() []*metav1.APIResourceList {
+	return []*metav1.APIResourceList{
+		{
+			GroupVersion: "v1",
+			APIResources: []metav1.APIResource{
+				{Name: "pods", Namespaced: true, Kind: "Pod"},
+				{Name: "services", Namespaced: true, Kind: "Service"},
+				{Name: "replicationcontrollers", Namespaced: true, Kind: "ReplicationController"},
+				{Name: "componentstatuses", Namespaced: false, Kind: "ComponentStatus"},
+				{Name: "nodes", Namespaced: false, Kind: "Node"},
+				{Name: "secrets", Namespaced: true, Kind: "Secret"},
+				{Name: "configmaps", Namespaced: true, Kind: "ConfigMap"},
+				{Name: "namespacedtype", Namespaced: true, Kind: "NamespacedType"},
+				{Name: "namespaces", Namespaced: false, Kind: "Namespace"},
+				{Name: "resourcequotas", Namespaced: true, Kind: "ResourceQuota"},
+			},
+		},
+		{
+			GroupVersion: "apps/v1",
+			APIResources: []metav1.APIResource{
+				{Name: "deployments", Namespaced: true, Kind: "Deployment"},
+				{Name: "replicasets", Namespaced: true, Kind: "ReplicaSet"},
+			},
+		},
+		{
+			GroupVersion: "storage.k8s.io/v1",
+			APIResources: []metav1.APIResource{
+				{Name: "storageclasses", Namespaced: false, Kind: "StorageClass"},
+			},
+		},
+	}
+}