From c282f7121231b435499a1e4edffa439182e72544 Mon Sep 17 00:00:00 2001 From: Damien Degois Date: Fri, 3 Jan 2025 17:16:37 +0100 Subject: [PATCH] remove policy exception dependancy from globalcontext and add some tests (#11788) Signed-off-by: Damien Degois Co-authored-by: shuting --- cmd/kyverno/main.go | 5 +- pkg/validation/globalcontext/validate.go | 13 +---- pkg/validation/globalcontext/validate_test.go | 47 +++++++++---------- pkg/webhooks/globalcontext/validate.go | 12 ++--- 4 files changed, 27 insertions(+), 50 deletions(-) diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 2948b80a34..422e30b444 100644 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -40,7 +40,6 @@ import ( runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime" "github.com/kyverno/kyverno/pkg/validatingadmissionpolicy" "github.com/kyverno/kyverno/pkg/validation/exception" - "github.com/kyverno/kyverno/pkg/validation/globalcontext" "github.com/kyverno/kyverno/pkg/webhooks" webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception" webhooksglobalcontext "github.com/kyverno/kyverno/pkg/webhooks/globalcontext" @@ -585,9 +584,7 @@ func main() { Enabled: internal.PolicyExceptionEnabled(), Namespace: internal.ExceptionNamespace(), }) - globalContextHandlers := webhooksglobalcontext.NewHandlers(globalcontext.ValidationOptions{ - Enabled: internal.PolicyExceptionEnabled(), - }) + globalContextHandlers := webhooksglobalcontext.NewHandlers() server := webhooks.NewServer( signalCtx, policyHandlers, diff --git a/pkg/validation/globalcontext/validate.go b/pkg/validation/globalcontext/validate.go index c3a7ff1617..0750b034ff 100644 --- a/pkg/validation/globalcontext/validate.go +++ b/pkg/validation/globalcontext/validate.go @@ -7,20 +7,9 @@ import ( kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1" ) -const ( - disabledGctx = "Global context entry would not be processed until it is enabled." -) - -type ValidationOptions struct { - Enabled bool -} - // Validate checks global context entry is valid -func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry, opts ValidationOptions) ([]string, error) { +func Validate(ctx context.Context, logger logr.Logger, gctx *kyvernov2alpha1.GlobalContextEntry) ([]string, error) { var warnings []string - if !opts.Enabled { - warnings = append(warnings, disabledGctx) - } errs := gctx.Validate() return warnings, errs.ToAggregate() } diff --git a/pkg/validation/globalcontext/validate_test.go b/pkg/validation/globalcontext/validate_test.go index e15c6bea97..ddb7b8fad5 100644 --- a/pkg/validation/globalcontext/validate_test.go +++ b/pkg/validation/globalcontext/validate_test.go @@ -11,7 +11,6 @@ import ( func Test_Validate(t *testing.T) { type args struct { - opts ValidationOptions resource []byte } tc := []struct { @@ -21,45 +20,41 @@ func Test_Validate(t *testing.T) { wantErr bool }{ { - name: "GlobalContextEntry disabled.", + name: "GlobalContextEntry with both KubernetesResource and APICall present", args: args{ - opts: ValidationOptions{ - Enabled: false, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), - }, - want: 1, - wantErr: false, - }, - { - name: "GlobalContextEntry enabled, both KubernetesResource and APICall present", - args: args{ - opts: ValidationOptions{ - Enabled: true, - }, resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"},"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), }, want: 0, wantErr: true, }, { - name: "GlobalContextEntry enabled, neither KubernetesResource nor APICall present", + name: "GlobalContextEntry with neither KubernetesResource nor APICall present", args: args{ - opts: ValidationOptions{ - Enabled: true, - }, resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{}}`), }, want: 0, wantErr: true, }, { - name: "GlobalContextEntry enabled.", + name: "GlobalContextEntry with only KubernetesResource present", args: args{ - opts: ValidationOptions{ - Enabled: true, - }, - resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"ingress"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"group":"apis/networking.k8s.io","version":"v1","resource":"ingresses","namespace":"apps"}}}`), + }, + want: 0, + wantErr: false, + }, + { + name: "GlobalContextEntry with a core KubernetesResource present", + args: args{ + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-kubernetesresource"},"spec":{"kubernetesResource":{"version":"v1","resource":"namespaces"}}}`), + }, + want: 0, + wantErr: false, + }, + { + name: "GlobalContextEntry with only APICall present", + args: args{ + resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"GlobalContextEntry","metadata":{"name":"gce-apicall"},"spec":{"apiCall":{"service":{"url":"https://svc.kyverno/example","caBundle":"-----BEGIN CERTIFICATE-----\n-----REDACTED-----\n-----END CERTIFICATE-----"},"refreshInterval":"10ns"}}}`), }, want: 0, wantErr: false, @@ -69,7 +64,7 @@ func Test_Validate(t *testing.T) { t.Run(c.name, func(t *testing.T) { gctx, err := admissionutils.UnmarshalGlobalContextEntry(c.args.resource) assert.NilError(t, err) - warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx, c.args.opts) + warnings, err := Validate(context.Background(), logging.GlobalLogger(), gctx) if c.wantErr { assert.Assert(t, err != nil) } else { diff --git a/pkg/webhooks/globalcontext/validate.go b/pkg/webhooks/globalcontext/validate.go index a29003c609..02e553451a 100644 --- a/pkg/webhooks/globalcontext/validate.go +++ b/pkg/webhooks/globalcontext/validate.go @@ -11,14 +11,10 @@ import ( "github.com/kyverno/kyverno/pkg/webhooks/handlers" ) -type gctxHandlers struct { - validationOptions validation.ValidationOptions -} +type gctxHandlers struct{} -func NewHandlers(validationOptions validation.ValidationOptions) webhooks.GlobalContextHandlers { - return &gctxHandlers{ - validationOptions: validationOptions, - } +func NewHandlers() webhooks.GlobalContextHandlers { + return &gctxHandlers{} } // Validate performs the validation check on global context entries @@ -28,7 +24,7 @@ func (h *gctxHandlers) Validate(ctx context.Context, logger logr.Logger, request logger.Error(err, "failed to unmarshal global context entry from admission request") return admissionutils.Response(request.UID, err) } - warnings, err := validation.Validate(ctx, logger, gctx, h.validationOptions) + warnings, err := validation.Validate(ctx, logger, gctx) if err != nil { logger.Error(err, "global context entry validation errors") }