remove policy exception dependancy from globalcontext and add some tests (#11788)

Signed-off-by: Damien Degois <damien@degois.info> Co-authored-by: shuting <shuting@nirmata.com>
2025-03-06 07:57:07 +00:00 · 2025-01-03 17:16:37 +01:00 · 2025-01-03 17:16:37 +01:00 · c282f71212
commit c282f71212
parent e0fe6ec59a
4 changed files with 27 additions and 50 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -40,7 +40,6 @@ import (
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
 	"github.com/kyverno/kyverno/pkg/validatingadmissionpolicy"
 	"github.com/kyverno/kyverno/pkg/validation/exception"
-	"github.com/kyverno/kyverno/pkg/validation/globalcontext"
 	"github.com/kyverno/kyverno/pkg/webhooks"
 	webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception"
 	webhooksglobalcontext "github.com/kyverno/kyverno/pkg/webhooks/globalcontext"
@ -585,9 +584,7 @@ func main() {
 			Enabled:   internal.PolicyExceptionEnabled(),
 			Namespace: internal.ExceptionNamespace(),
 		})
-		globalContextHandlers := webhooksglobalcontext.NewHandlers(globalcontext.ValidationOptions{
-			Enabled: internal.PolicyExceptionEnabled(),
-		})
+		globalContextHandlers := webhooksglobalcontext.NewHandlers()
 		server := webhooks.NewServer(
 			signalCtx,
 			policyHandlers,
--- a/pkg/validation/globalcontext/validate.go
+++ b/pkg/validation/globalcontext/validate.go
@ -7,20 +7,9 @@ import (
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 )

-const (
-	disabledGctx = "Global context entry would not be processed until it is enabled."
-)
-
-type ValidationOptions struct {
-	Enabled bool
-}
-
 // Validate checks global context entry is valid
-func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry, opts ValidationOptions) ([]string, error) {
+func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry) ([]string, error) {
 	var warnings []string
-	if !opts.Enabled {
-		warnings = append(warnings, disabledGctx)
-	}
 	errs := gctx.Validate()
 	return warnings, errs.ToAggregate()
 }
--- a/pkg/validation/globalcontext/validate_test.go
+++ b/pkg/validation/globalcontext/validate_test.go
@ -11,7 +11,6 @@ import (

 func Test_Validate(t *testing.T) {
 	type args struct {
-		opts     ValidationOptions
 		resource []byte
 	}
 	tc := []struct {
@ -21,45 +20,41 @@ func Test_Validate(t *testing.T) {
 		wantErr bool
 	}{
 		{
-			name: "GlobalContextEntry disabled.",
+			name: "GlobalContextEntry with both KubernetesResource and APICall present",
 			args: args{
-				opts: ValidationOptions{
-					Enabled: false,
-				},
-				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`),
-			},
-			want:    1,
-			wantErr: false,
-		},
-		{
-			name: "GlobalContextEntry enabled, both KubernetesResource and APICall present",
-			args: args{
-				opts: ValidationOptions{
-					Enabled: true,
-				},
 				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`),
 			},
 			want:    0,
 			wantErr: true,
 		},
 		{
-			name: "GlobalContextEntry enabled, neither KubernetesResource nor APICall present",
+			name: "GlobalContextEntry with neither KubernetesResource nor APICall present",
 			args: args{
-				opts: ValidationOptions{
-					Enabled: true,
-				},
 				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`),
 			},
 			want:    0,
 			wantErr: true,
 		},
 		{
-			name: "GlobalContextEntry enabled.",
+			name: "GlobalContextEntry with only KubernetesResource present",
 			args: args{
-				opts: ValidationOptions{
-					Enabled: true,
-				},
-				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`),
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`),
+			},
+			want:    0,
+			wantErr: false,
+		},
+		{
+			name: "GlobalContextEntry with a core KubernetesResource present",
+			args: args{
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"version":"v1","resource":"namespaces"}}}`),
+			},
+			want:    0,
+			wantErr: false,
+		},
+		{
+			name: "GlobalContextEntry with only APICall present",
+			args: args{
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-apicall"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`),
 			},
 			want:    0,
 			wantErr: false,
@ -69,7 +64,7 @@ func Test_Validate(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			gctx, err := admissionutils.UnmarshalGlobalContextEntry(c.args.resource)
 			assert.NilError(t, err)
-			warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx, c.args.opts)
+			warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx)
 			if c.wantErr {
 				assert.Assert(t, err != nil)
 			} else {
--- a/pkg/webhooks/globalcontext/validate.go
+++ b/pkg/webhooks/globalcontext/validate.go
@ -11,14 +11,10 @@ import (
 	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
 )

-type gctxHandlers struct {
-	validationOptions validation.ValidationOptions
-}
+type gctxHandlers struct{}

-func NewHandlers(validationOptions validation.ValidationOptions) webhooks.GlobalContextHandlers {
-	return &gctxHandlers{
-		validationOptions: validationOptions,
-	}
+func NewHandlers() webhooks.GlobalContextHandlers {
+	return &gctxHandlers{}
 }

 // Validate performs the validation check on global context entries
@ -28,7 +24,7 @@ func (h *gctxHandlers) Validate(ctx context.Context, logger logr.Logger, request
 		logger.Error(err, "failed to unmarshal global context entry from admission request")
 		return admissionutils.Response(request.UID, err)
 	}
-	warnings, err := validation.Validate(ctx, logger, gctx, h.validationOptions)
+	warnings, err := validation.Validate(ctx, logger, gctx)
 	if err != nil {
 		logger.Error(err, "global context entry validation errors")
 	}