Context vars substitution in CLI (#4290)

* context variables substitution will be independent of sequence Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> * Added test cases Signed-off-by: viveksahu26 <vivekkumarsahu650@gmail.com> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com>
2025-03-31 03:45:17 +00:00 · 2022-08-09 11:18:57 +05:30 · 2022-08-09 11:18:57 +05:30 · c95bb74992
commit c95bb74992
parent 94c60598af
5 changed files with 70 additions and 9 deletions
--- a/pkg/engine/jsonContext.go
+++ b/pkg/engine/jsonContext.go
@ -20,7 +20,19 @@ func LoadContext(logger logr.Logger, contextEntries []kyvernov1.ContextEntry, ct

 	policyName := ctx.Policy.GetName()
 	if store.GetMock() {
+		rule := store.GetPolicyRuleFromContext(policyName, ruleName)
+		if rule != nil && len(rule.Values) > 0 {
+			variables := rule.Values
+			for key, value := range variables {
+				if err := ctx.JSONContext.AddVariable(key, value); err != nil {
+					return err
+				}
+			}
+		}
+
 		hasRegistryAccess := store.GetRegistryAccess()
+
+		// Context Variable should be loaded after the values loaded from values file
 		for _, entry := range contextEntries {
 			if entry.ImageRegistry != nil && hasRegistryAccess {
 				if err := loadImageData(logger, entry, ctx); err != nil {
@ -32,15 +44,6 @@ func LoadContext(logger logr.Logger, contextEntries []kyvernov1.ContextEntry, ct
 				}
 			}
 		}
-		rule := store.GetPolicyRuleFromContext(policyName, ruleName)
-		if rule != nil && len(rule.Values) > 0 {
-			variables := rule.Values
-			for key, value := range variables {
-				if err := ctx.JSONContext.AddVariable(key, value); err != nil {
-					return err
-				}
-			}
-		}

 		if rule != nil && len(rule.ForeachValues) > 0 {
 			for key, value := range rule.ForeachValues {
--- a/test/cli/test/unordered-context-variables/kyverno-test.yaml
+++ b/test/cli/test/unordered-context-variables/kyverno-test.yaml
@ -0,0 +1,12 @@
+name: chained-variables
+policies:
+  - policy.yaml
+resources:
+  - resource.yaml
+variables: variables.yaml
+results:
+- policy: deny-something
+  rule: deny-everything
+  resource: valid-pod
+  kind: Pod
+  result: pass
--- a/test/cli/test/unordered-context-variables/policy.yaml
+++ b/test/cli/test/unordered-context-variables/policy.yaml
@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-something
+spec:
+  validationFailureAction: enforce
+  rules:
+    - name: deny-everything
+      context:
+      - name: varA
+        configMap:
+          name: kyverno-context-vars
+          namespace: default
+      - name: varB
+        variable:
+          jmesPath: varA.data.ValueOfB
+      match:
+        resources:
+          kinds:
+            - Pod
+      validate:
+        message: >-
+          Sharing the host namespaces is not allowed. The fields spec.hostNetwork,
+          spec.hostIPC, and spec.hostPID must be unset or set to `false`.
+        pattern:
+          spec:
+            =(hostPID): false
+            =(hostIPC): false
--- a/test/cli/test/unordered-context-variables/resource.yaml
+++ b/test/cli/test/unordered-context-variables/resource.yaml
@ -0,0 +1,11 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: valid-pod
+  namespace: test
+  labels:
+    app: whatever
+spec:
+  containers:
+    - name: app
+      image: 'myorg/whatever:1.0.0'
--- a/test/cli/test/unordered-context-variables/variables.yaml
+++ b/test/cli/test/unordered-context-variables/variables.yaml
@ -0,0 +1,7 @@
+policies:
+  - name: deny-something
+    rules:
+      - name: deny-everything
+        values:
+          varA.data.ValueOfB: "something"
+          # request.namespace: kyverno