mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-05 15:37:19 +00:00
Code Activity

fix: update KeysAreMissing() to ignore negations in resource (#8953) (#8982)

Browse source 
* fix: update KeysAreMissing() to ignore negations in resource

KeysAreMissing() checks if a key is missing in a resource, since a negation should not be present in the resource, it should not count as a missing key



* feat: add tests



* fix: pod is supposed to fail



---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
This commit is contained in:
gcp-cherry-pick-bot[bot] 2023-11-22 13:53:00 +00:00 committed by GitHub
parent 26c89504bc
commit c86039d460
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 67 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pkg/engine/anchor/anchormap.go
View file

@ -18,8 +18,12 @@ func NewAnchorMap() *AnchorMap {
// if any of (key)=false then return KeysAreMissing() as true // if any of (key)=false then return KeysAreMissing() as true
// if all the keys exists in the pattern exists in resource then return KeysAreMissing() as false // if all the keys exists in the pattern exists in resource then return KeysAreMissing() as false
func (ac *AnchorMap) KeysAreMissing() bool { func (ac *AnchorMap) KeysAreMissing() bool {
for _, v := range ac.anchorMap { for k, v := range ac.anchorMap {
if !v { if !v {
// Negations should not be present in the resource so they count as missing.
if a := Parse(k); IsNegation(a) {
continue
}
return true return true
} }
} }

6
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/01-policy.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- policy.yaml
assert:
- policy-assert.yaml

5
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/02-pod.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kuttl.dev/v1beta1
kind: TestStep
apply:
- file: pod.yaml
shouldFail: true

11
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/README.md Normal file
View file

@ -0,0 +1,11 @@
## Description
This test verifies that when failurePolicy is set to to Ignore for a policy that was set to Enforce, Admission webhook denies requests when validation of a resource fails. The error should not get consumed by ignore failurePolicy
## Expected Behavior
The pod should be not created.
## Reference Issue(s)
https://github.com/kyverno/kyverno/issues/8916

12
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/pod.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: disallow-annotations-example
namespace: default
annotations:
kyverno-policies-test/key: disallowed
spec:
containers:
- name: example
image: busybox
args: ["sleep", "infinity"]

4
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy-assert.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-annotations

24
test/conformance/kuttl/validate/clusterpolicy/standard/enforce/failure-policy-ignore-anchor/policy.yaml Normal file
View file

@ -0,0 +1,24 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-annotations
spec:
background: true
failurePolicy: Ignore
rules:
- match:
all:
- resources:
kinds:
- Pod
name: disallow-annotations
validate:
message: One or more annotations is not allowed per the policies disallowed
values list.
pattern:
metadata:
=(annotations):
=(kyverno-policies-test/key): '!disallowed'
X(kyverno-policies-test/disallowed): "null"
validationFailureAction: Enforce
webhookTimeoutSeconds: 30