mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-05 07:26:55 +00:00
fix: add error check in jmespath type conversion in context variables (#10152)
* fix: add error check in jmespath type conversion in context variables Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix(lint): new line in tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: properly update path variable Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: remove log statemet Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
This commit is contained in:
Vishal Choudhary
GitHub
parent
5d50022f43
commit
c403a498a3
6 changed files with 91 additions and 1 deletions
|
|
@ -53,7 +53,11 @@ func (vl *variableLoader) loadVariable() (err error) {
|
|||
if err != nil {
|
||||
return fmt.Errorf("failed to substitute variables in context entry %s %s: %v", entry.Name, entry.Variable.JMESPath, err)
|
||||
}
|
||||
path = jp.(string)
|
||||
var ok bool
|
||||
path, ok = jp.(string)
|
||||
if !ok {
|
||||
return fmt.Errorf("jmespath value must be a string %s %s: %v", entry.Name, entry.Variable.JMESPath, err)
|
||||
}
|
||||
logger.V(4).Info("evaluated jmespath", "variable name", entry.Name, "jmespath", path)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
## Description
|
||||
|
||||
This test ensures that invalid jmespath in variables cause error and not panic.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
The pod should be blocked
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||
kind: Test
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: variable-substitution-failure-messages
|
||||
spec:
|
||||
steps:
|
||||
- name: step-01
|
||||
try:
|
||||
- apply:
|
||||
file: policy.yaml
|
||||
- assert:
|
||||
file: policy-assert.yaml
|
||||
- name: step-02
|
||||
try:
|
||||
- script:
|
||||
content: kubectl apply -f pod.yaml
|
||||
check:
|
||||
($error != null): true
|
||||
# This check ensures the contents of stderr are exactly as shown.
|
||||
($stderr): |-
|
||||
Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
|
||||
|
||||
resource Pod/default/test was blocked due to the following policies
|
||||
|
||||
test-panic:
|
||||
test-panic: 'failed to check deny conditions: failed to substitute variables in
|
||||
condition key: failed to resolve image at path : jmespath value must be a string
|
||||
image {{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[]
|
||||
}}: <nil>'
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
run: test
|
||||
name: test
|
||||
spec:
|
||||
containers:
|
||||
- image: nginx
|
||||
name: test
|
||||
resources: {}
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: Always
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-panic
|
||||
status:
|
||||
conditions:
|
||||
- reason: Succeeded
|
||||
status: "True"
|
||||
type: Ready
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: test-panic
|
||||
spec:
|
||||
validationFailureAction: Enforce
|
||||
background: true
|
||||
rules:
|
||||
- name: test-panic
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
context:
|
||||
- name: image
|
||||
variable:
|
||||
jmesPath: '{{ request.object.spec.[containers,initContainers, ephemeralContainers][].image[] }}'
|
||||
validate:
|
||||
deny:
|
||||
conditions:
|
||||
all:
|
||||
- key: "{{ image }}"
|
||||
operator: AnyNotIn
|
||||
value:
|
||||
- "ghcr.io/kyverno/test-verify-image:signed"
|
||||
Loading…
Add table
Reference in a new issue