diff --git a/pkg/engine/jsonContext.go b/pkg/engine/jsonContext.go index b49bd7f305..a42417a481 100644 --- a/pkg/engine/jsonContext.go +++ b/pkg/engine/jsonContext.go @@ -20,7 +20,19 @@ func LoadContext(logger logr.Logger, contextEntries []kyvernov1.ContextEntry, ct policyName := ctx.Policy.GetName() if store.GetMock() { + rule := store.GetPolicyRuleFromContext(policyName, ruleName) + if rule != nil && len(rule.Values) > 0 { + variables := rule.Values + for key, value := range variables { + if err := ctx.JSONContext.AddVariable(key, value); err != nil { + return err + } + } + } + hasRegistryAccess := store.GetRegistryAccess() + + // Context Variable should be loaded after the values loaded from values file for _, entry := range contextEntries { if entry.ImageRegistry != nil && hasRegistryAccess { if err := loadImageData(logger, entry, ctx); err != nil { @@ -32,15 +44,6 @@ func LoadContext(logger logr.Logger, contextEntries []kyvernov1.ContextEntry, ct } } } - rule := store.GetPolicyRuleFromContext(policyName, ruleName) - if rule != nil && len(rule.Values) > 0 { - variables := rule.Values - for key, value := range variables { - if err := ctx.JSONContext.AddVariable(key, value); err != nil { - return err - } - } - } if rule != nil && len(rule.ForeachValues) > 0 { for key, value := range rule.ForeachValues { diff --git a/test/cli/test/unordered-context-variables/kyverno-test.yaml b/test/cli/test/unordered-context-variables/kyverno-test.yaml new file mode 100644 index 0000000000..0061a84d2e --- /dev/null +++ b/test/cli/test/unordered-context-variables/kyverno-test.yaml @@ -0,0 +1,12 @@ +name: chained-variables +policies: + - policy.yaml +resources: + - resource.yaml +variables: variables.yaml +results: +- policy: deny-something + rule: deny-everything + resource: valid-pod + kind: Pod + result: pass \ No newline at end of file diff --git a/test/cli/test/unordered-context-variables/policy.yaml b/test/cli/test/unordered-context-variables/policy.yaml new file mode 100644 index 0000000000..a710c6d2d3 --- /dev/null +++ b/test/cli/test/unordered-context-variables/policy.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: deny-something +spec: + validationFailureAction: enforce + rules: + - name: deny-everything + context: + - name: varA + configMap: + name: kyverno-context-vars + namespace: default + - name: varB + variable: + jmesPath: varA.data.ValueOfB + match: + resources: + kinds: + - Pod + validate: + message: >- + Sharing the host namespaces is not allowed. The fields spec.hostNetwork, + spec.hostIPC, and spec.hostPID must be unset or set to `false`. + pattern: + spec: + =(hostPID): false + =(hostIPC): false \ No newline at end of file diff --git a/test/cli/test/unordered-context-variables/resource.yaml b/test/cli/test/unordered-context-variables/resource.yaml new file mode 100644 index 0000000000..372eb0b037 --- /dev/null +++ b/test/cli/test/unordered-context-variables/resource.yaml @@ -0,0 +1,11 @@ +kind: Pod +apiVersion: v1 +metadata: + name: valid-pod + namespace: test + labels: + app: whatever +spec: + containers: + - name: app + image: 'myorg/whatever:1.0.0' \ No newline at end of file diff --git a/test/cli/test/unordered-context-variables/variables.yaml b/test/cli/test/unordered-context-variables/variables.yaml new file mode 100644 index 0000000000..6dd5935aa9 --- /dev/null +++ b/test/cli/test/unordered-context-variables/variables.yaml @@ -0,0 +1,7 @@ +policies: + - name: deny-something + rules: + - name: deny-everything + values: + varA.data.ValueOfB: "something" + # request.namespace: kyverno \ No newline at end of file