mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
fix: get ns labels in the cluster mode when using the CLI (#10348)
* fix: get ns labels in the cluster mode when using the CLI Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * chore: fix chainsaw test Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * Update .vscode/launch.json Co-authored-by: shuting <shuting@nirmata.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Mariam Fahmy <mariamfahmy66@gmail.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
0736439866
commit
c391fba64c
7 changed files with 130 additions and 1 deletions
9
.github/workflows/conformance.yaml
vendored
9
.github/workflows/conformance.yaml
vendored
|
@ -967,6 +967,13 @@ jobs:
|
|||
name: kubectl-kyverno
|
||||
- name: Install chainsaw
|
||||
uses: kyverno/action-install-chainsaw@ef2517389320aae0fd7c067aa14b060eef08b76d # v0.2.3
|
||||
# create cluster
|
||||
- name: Create kind cluster
|
||||
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
|
||||
with:
|
||||
node_image: kindest/node:v1.30.0
|
||||
cluster_name: kind
|
||||
config: ./scripts/config/kind/default.yaml
|
||||
- name: Install Kyverno CLI
|
||||
shell: bash
|
||||
run: |
|
||||
|
@ -980,7 +987,7 @@ jobs:
|
|||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
run: |
|
||||
set -e
|
||||
cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml --no-cluster
|
||||
cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml
|
||||
- name: Fix test files
|
||||
shell: bash
|
||||
run: |
|
||||
|
|
|
@ -255,6 +255,14 @@ func (p *PolicyProcessor) makePolicyContext(
|
|||
return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
|
||||
}
|
||||
}
|
||||
if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" {
|
||||
ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
|
||||
if err != nil {
|
||||
log.Log.Error(err, "failed to get the resource's namespace")
|
||||
return nil, fmt.Errorf("failed to get the resource's namespace (%w)", err)
|
||||
}
|
||||
namespaceLabels = ns.GetLabels()
|
||||
}
|
||||
policyContext = policyContext.
|
||||
WithPolicy(policy).
|
||||
WithNamespaceLabels(namespaceLabels).
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
## Description
|
||||
|
||||
This test makes sure that Kyverno CLI apply works as expected when an exception matches a pod with a namespace selector in case of cluster mode. (i.e. `--cluster` flag is set)
|
||||
|
||||
## Steps
|
||||
|
||||
1. - Create a namespace `ns-1`
|
||||
1. - Label the namespace `ns-1` with `kyverno.tess.io/mutateresource=false`
|
||||
1. - Create a pod `test-pod` in namespace `ns-1`
|
||||
1. - Create a policy that requires pod to run as non-root user.
|
||||
1. - Create an exception that matches any pod whose ns selector is `kyverno.tess.io/mutateresource=false`
|
||||
1. - Use `kyverno apply` command to apply the policy and the exception in a cluster mode. It is expected to have a `skip` as a result.
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/10260
|
|
@ -0,0 +1,28 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: apply-exception-with-ns-selector
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- script:
|
||||
content: kubectl create ns ns-1
|
||||
- name: step-02
|
||||
try:
|
||||
- script:
|
||||
content: kubectl label ns ns-1 kyverno.tess.io/mutateresource=false
|
||||
- name: step-03
|
||||
try:
|
||||
- script:
|
||||
content: kubectl apply -f pod.yaml
|
||||
- name: step-04
|
||||
try:
|
||||
- script:
|
||||
content: kyverno apply policy.yaml --exception exception.yaml --cluster --namespace ns-1
|
||||
check:
|
||||
($stdout): |-
|
||||
Applying 3 policy rule(s) to 1 resource(s) with 1 exception(s)...
|
||||
|
||||
pass: 0, fail: 0, warn: 0, error: 0, skip: 1
|
|
@ -0,0 +1,24 @@
|
|||
apiVersion: kyverno.io/v2beta1
|
||||
kind: PolicyException
|
||||
metadata:
|
||||
name: exception
|
||||
spec:
|
||||
background: false
|
||||
exceptions:
|
||||
- policyName: require-run-as-non-root-user
|
||||
ruleNames:
|
||||
- run-as-non-root-user
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchExpressions:
|
||||
- key: kyverno.tess.io/mutateresource
|
||||
operator: In
|
||||
values:
|
||||
- "false"
|
||||
kinds:
|
||||
- Pod
|
||||
operations:
|
||||
- UPDATE
|
||||
- CREATE
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: test-pod
|
||||
namespace: ns-1
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
||||
# Grant necessary permissions using SecurityContext (optional)
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: "1Gi"
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: require-run-as-non-root-user
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
rules:
|
||||
- name: run-as-non-root-user
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
validate:
|
||||
message: >-
|
||||
Running the container as root user is not allowed.
|
||||
pattern:
|
||||
spec:
|
||||
=(securityContext):
|
||||
=(runAsUser): ">0"
|
||||
=(ephemeralContainers):
|
||||
- =(securityContext):
|
||||
=(runAsUser): ">0"
|
||||
=(initContainers):
|
||||
- =(securityContext):
|
||||
=(runAsUser): ">0"
|
||||
containers:
|
||||
- =(securityContext):
|
||||
=(runAsUser): ">0"
|
Loading…
Add table
Reference in a new issue