fix: set all operations by default in the generated VAP (#10100)

* fix: set all operations by default in the generated VAP Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix chainsaw test Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-28 02:18:15 +00:00 · 2024-08-02 17:12:42 +03:00 · 2024-08-02 17:12:42 +03:00 · ce7e570268
commit ce7e570268
parent 9d28116eb4
12 changed files with 136 additions and 1 deletions
--- a/pkg/validatingadmissionpolicy/builder.go
+++ b/pkg/validatingadmissionpolicy/builder.go
@ -295,6 +295,8 @@ func translateOperations(operations []string) []admissionregistrationv1.Operatio
 	if len(vapOperations) == 0 {
 		vapOperations = append(vapOperations, admissionregistrationv1.Create)
 		vapOperations = append(vapOperations, admissionregistrationv1.Update)
+		vapOperations = append(vapOperations, admissionregistrationv1.Connect)
+		vapOperations = append(vapOperations, admissionregistrationv1.Delete)
 	}
 	return vapOperations
 }
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-ephemeral-containers/policy.yaml
@ -12,6 +12,9 @@ spec:
      - resources:
          kinds:
            - Pod
+          operations:
+            - CREATE
+            - UPDATE
    validate:
      cel:
        expressions:
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/chainsaw-test.yaml
@ -0,0 +1,40 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: block-exec-in-pods
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ns.yaml
+  - name: step-02
+    try:
+    - script:
+        content: kubectl run my-pod --image nginx -n pci
+  - name: step-03
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-04
+    try:
+    - assert:
+        file: validatingadmissionpolicy.yaml
+    - assert:
+        file: validatingadmissionpolicybinding.yaml
+  - name: step-05
+    try:
+    - sleep:
+        duration: 3s
+  - name: step-06
+    try:
+    - script:
+        content: kubectl exec my-pod -n pci -- ls
+        check:  
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          (trim_space($stderr)): |-
+            The pods "my-pod" is invalid: : ValidatingAdmissionPolicy 'deny-exec-by-namespace-name' with binding 'deny-exec-by-namespace-name-binding' denied request: Pods in this namespace may not be exec'd into.
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/ns.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pci
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy-assert.yaml
@ -0,0 +1,10 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-exec-by-namespace-name
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/policy.yaml
@ -0,0 +1,22 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: deny-exec-by-namespace-name
+spec:
+  validationFailureAction: Enforce
+  background: false
+  rules:
+  - name: deny-exec-ns-pci
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod/exec
+    celPreconditions:
+      - name: "operation-should-be-connect"
+        expression: "request.operation == 'CONNECT'"
+    validate:
+      cel:
+        expressions:
+          - expression: "request.namespace != 'pci'"
+            message: Pods in this namespace may not be exec'd into.
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicy.yaml
@ -0,0 +1,32 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: deny-exec-by-namespace-name
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: deny-exec-by-namespace-name
+spec:
+  failurePolicy: Fail
+  matchConditions:
+  - expression: request.operation == 'CONNECT'
+    name: operation-should-be-connect
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - ""
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      - CONNECT
+      - DELETE
+      resources:
+      - pods/exec
+      scope: '*'
+  validations:
+  - expression: request.namespace != 'pci'
+    message: Pods in this namespace may not be exec'd into.
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/block-exec-in-pods/validatingadmissionpolicybinding.yaml
@ -0,0 +1,14 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: deny-exec-by-namespace-name-binding
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: deny-exec-by-namespace-name
+spec:
+  policyName: deny-exec-by-namespace-name
+  validationActions:
+  - Deny
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-exclude-namespace-match-resource/policy.yaml
@ -21,6 +21,9 @@ spec:
            namespaces:
            - testing-ns
            - staging-ns
+            operations:
+            - CREATE
+            - UPDATE
      validate:
        cel:
          expressions:
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-any-match-resources-by-names/policy.yaml
@ -14,6 +14,9 @@ spec:
            - Deployment
            names: 
            - "staging"
+            operations:
+            - CREATE
+            - UPDATE
      validate:
        cel:
          expressions:
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-all-exclude-one/chainsaw-test.yaml
@ -2,7 +2,7 @@ apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
  creationTimestamp: null
-  name: cpol-match-kind-with-wildcard
+  name: cpol-match-all-exclude-one
 spec:
  steps:
  - name: step-01
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/generate/cpol-match-kind-with-wildcard/validatingadmissionpolicy.yaml
@ -26,6 +26,8 @@ spec:
      operations:
      - CREATE
      - UPDATE
+      - CONNECT
+      - DELETE
      resources:
      - '*'
  validations: