From cf28c6480ff581a346442d31c96be0ff46ab59af Mon Sep 17 00:00:00 2001 From: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Date: Fri, 2 Jun 2023 19:23:38 +0530 Subject: [PATCH] Fix: [Bug] The default field in a context variable does not replace nil results (#7251) * fixed the bug Signed-off-by: Ved Ratan * added tests Signed-off-by: Ved Ratan * added assertion Signed-off-by: Ved Ratan * fixed tests Signed-off-by: Ved Ratan * fix Signed-off-by: Ved Ratan * fix Signed-off-by: Ved Ratan * removed redundant code Signed-off-by: Ved Ratan * added assert Signed-off-by: Ved Ratan --------- Signed-off-by: Ved Ratan --- pkg/engine/api/context.go | 5 +++- .../00-policy.yaml | 6 +++++ .../mutate-using-default-context/01-pod.yaml | 7 +++++ .../mutate-using-default-context/README.md | 11 ++++++++ .../pod-assert.yaml | 12 +++++++++ .../mutate-using-default-context/pod.yaml | 11 ++++++++ .../policy-assert.yaml | 9 +++++++ .../mutate-using-default-context/policy.yaml | 27 +++++++++++++++++++ 8 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml create mode 100644 test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml diff --git a/pkg/engine/api/context.go b/pkg/engine/api/context.go index 0091ad8c8c..e45aa5dd24 100644 --- a/pkg/engine/api/context.go +++ b/pkg/engine/api/context.go @@ -27,6 +27,7 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con logger.V(4).Info("evaluated jmespath", "variable name", entry.Name, "jmespath", path) } var defaultValue interface{} = nil + if entry.Variable.Default != nil { value, err := variables.DocumentToUntyped(entry.Variable.Default) if err != nil { @@ -58,7 +59,9 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con } else { if path != "" { if variable, err := ctx.Query(path); err == nil { - output = variable + if variable != nil { + output = variable + } } else if defaultValue == nil { return fmt.Errorf("failed to apply jmespath %s to variable %v", path, err) } diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml new file mode 100644 index 0000000000..b20ef0bd7d --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml new file mode 100644 index 0000000000..9cd8cc3c1b --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml @@ -0,0 +1,7 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: pod.yaml + shouldFail: false +assert: +- pod-assert.yaml \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md new file mode 100644 index 0000000000..71a15821b2 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md @@ -0,0 +1,11 @@ +## Description + +This test checks that the `default` field in a context variable should replace nil results in mutateExisting policies. + +## Expected Behavior + +With the mutateExisting policy, the context variable `podName` will assume the value of `empty` since there is no pod whose name is starting with `good-`, and the pod should get created as preconditions matching as the value of the variable is set to default which is `empty` is equal to `empty`. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7148 \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml new file mode 100644 index 0000000000..878c824de5 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: 'bad-box' + labels: + foo: bar +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:latest + command: ["sleep", "9999"] \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml new file mode 100644 index 0000000000..524dde67e6 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: 'bad-box' +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:latest + command: ["sleep", "9999"] + diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml new file mode 100644 index 0000000000..b0bac17455 --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-add-labels +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file diff --git a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml new file mode 100644 index 0000000000..6cf9e5ee3b --- /dev/null +++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pod-add-labels +spec: + rules: + - name: foo + match: + any: + - resources: + kinds: + - Pod + context: + - name: podName + variable: + jmesPath: request.object.metadata.name[?starts_with(@, 'good-')] | [0] + default: empty + preconditions: + all: + - key: "{{podName}}" + operator: Equals + value: empty + mutate: + patchStrategicMerge: + metadata: + labels: + +(foo): bar \ No newline at end of file