diff --git a/pkg/policymutation/cronjob.go b/pkg/policymutation/cronjob.go index e18b8a7360..9518a8bf0b 100644 --- a/pkg/policymutation/cronjob.go +++ b/pkg/policymutation/cronjob.go @@ -82,6 +82,15 @@ func generateCronJobRule(rule kyverno.Rule, controllers string, log logr.Logger) return *cronJobRule } + if (jobRule.Validation != nil) && (jobRule.Validation.Deny != nil) { + newValidate := &kyverno.Validation{ + Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/jobTemplate/spec/template", "pattern"), + Deny: jobRule.Validation.Deny, + } + cronJobRule.Validation = newValidate.DeepCopy() + return *cronJobRule + } + if (jobRule.Validation != nil) && (jobRule.Validation.AnyPattern != nil) { var patterns []interface{} anyPatterns, err := jobRule.Validation.DeserializeAnyPattern() diff --git a/pkg/policymutation/policymutation.go b/pkg/policymutation/policymutation.go index d2d728019b..3166047eec 100644 --- a/pkg/policymutation/policymutation.go +++ b/pkg/policymutation/policymutation.go @@ -347,8 +347,7 @@ func CanAutoGen(policy *kyverno.ClusterPolicy, log logr.Logger) (applyAutoGen bo } } - if rule.Mutation.PatchesJSON6902 != "" || - rule.Validation.Deny != nil || rule.HasGenerate() { + if rule.Mutation.PatchesJSON6902 != "" || rule.HasGenerate() { return false, "none" } } @@ -646,6 +645,15 @@ func generateRuleForControllers(rule kyverno.Rule, controllers string, log logr. return *controllerRule } + if rule.Validation.Deny != nil { + deny := &kyverno.Validation{ + Message: variables.FindAndShiftReferences(log, rule.Validation.Message, "spec/template", "deny"), + Deny: rule.Validation.Deny, + } + controllerRule.Validation = deny.DeepCopy() + return *controllerRule + } + if rule.Validation.AnyPattern != nil { anyPatterns, err := rule.Validation.DeserializeAnyPattern() diff --git a/pkg/policymutation/policymutation_test.go b/pkg/policymutation/policymutation_test.go index 7826efb73b..88a95b71c4 100644 --- a/pkg/policymutation/policymutation_test.go +++ b/pkg/policymutation/policymutation_test.go @@ -296,7 +296,7 @@ func Test_getControllers(t *testing.T) { { name: "rule-with-deny", policy: []byte(`{"apiVersion":"kyverno.io/v1","kind":"ClusterPolicy","metadata":{"name":"test"},"spec":{"rules":[{"name":"require-network-policy","match":{"resources":{"kinds":["Pod"]}},"validate":{"message":"testpolicy","deny":{"conditions":[{"key":"{{request.object.metadata.labels.foo}}","operator":"Equals","value":"bar"}]}}}]}}`), - expectedControllers: "none", + expectedControllers: engine.PodControllers, }, { @@ -458,3 +458,41 @@ func Test_checkForGVKFormatPatch(t *testing.T) { } } } + +func Test_Deny(t *testing.T) { + dir, err := os.Getwd() + baseDir := filepath.Dir(filepath.Dir(dir)) + assert.NilError(t, err) + file, err := ioutil.ReadFile(baseDir + "/test/policy/deny/policy.yaml") + if err != nil { + t.Log(err) + } + policies, err := utils.GetPolicy(file) + if err != nil { + t.Log(err) + } + + policy := policies[0] + policy.Spec.Rules[0].MatchResources.Any = kyverno.ResourceFilters{ + { + ResourceDescription: kyverno.ResourceDescription{ + Kinds: []string{"Pod"}, + }, + }, + } + + rulePatches, errs := generateRulePatches(*policy, engine.PodControllers, log.Log) + fmt.Println("utils.JoinPatches(patches)erterter", string(utils.JoinPatches(rulePatches))) + if len(errs) != 0 { + t.Log(errs) + } + expectedPatches := [][]byte{ + []byte(`{"path":"/spec/rules/1","op":"add","value":{"name":"autogen-disallow-mount-containerd-sock","match":{"any":[{"resources":{"kinds":["DaemonSet","Deployment","Job","StatefulSet"]}}],"resources":{"kinds":["Pod"]}},"validate":{"foreach":[{"list":"request.object.spec.template.spec.volumes[]","deny":{"conditions":{"any":[{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"/var/run/containerd/containerd.sock"},{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"/run/containerd/containerd.sock"},{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"\\var\\run\\containerd\\containerd.sock"}]}}}]}}}`), + []byte(`{"path":"/spec/rules/2","op":"add","value":{"name":"autogen-cronjob-disallow-mount-containerd-sock","match":{"any":[{"resources":{"kinds":["CronJob"]}}],"resources":{"kinds":["Pod"]}},"validate":{"foreach":[{"list":"request.object.spec.jobTemplate.spec.template.spec.volumes[]","deny":{"conditions":{"any":[{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"/var/run/containerd/containerd.sock"},{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"/run/containerd/containerd.sock"},{"key":"{{ path_canonicalize(element.hostPath.path) }}","operator":"Equals","value":"\\var\\run\\containerd\\containerd.sock"}]}}}]}}}`), + } + + for i, ep := range expectedPatches { + assert.Equal(t, string(rulePatches[i]), string(ep), + fmt.Sprintf("unexpected patch: %s\nexpected: %s", rulePatches[i], ep)) + } +} diff --git a/test/policy/deny/policy.yaml b/test/policy/deny/policy.yaml new file mode 100644 index 0000000000..e099c449f8 --- /dev/null +++ b/test/policy/deny/policy.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: path-canonicalize +spec: + validationFailureAction: enforce + background: false + rules: + - name: disallow-mount-containerd-sock + match: + resources: + kinds: + - Pod + validate: + foreach: + - list: "request.object.spec.volumes[]" + deny: + conditions: + any: + - key: "{{ path_canonicalize(element.hostPath.path) }}" + operator: Equals + value: "/var/run/containerd/containerd.sock" + - key: "{{ path_canonicalize(element.hostPath.path) }}" + operator: Equals + value: "/run/containerd/containerd.sock" + - key: "{{ path_canonicalize(element.hostPath.path) }}" + operator: Equals + value: "\\var\\run\\containerd\\containerd.sock"