Fix: [Bug] The default field in a context variable does not replace nil results (#7251)

* fixed the bug Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added assertion Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fixed tests Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * fix Signed-off-by: Ved Ratan <vedratan8@gmail.com> * removed redundant code Signed-off-by: Ved Ratan <vedratan8@gmail.com> * added assert Signed-off-by: Ved Ratan <vedratan8@gmail.com> --------- Signed-off-by: Ved Ratan <vedratan8@gmail.com>
2025-03-31 03:45:17 +00:00 · 2023-06-02 19:23:38 +05:30 · 2023-06-02 19:23:38 +05:30 · cf28c6480f
commit cf28c6480f
parent 4d5f832d01
8 changed files with 87 additions and 1 deletions
--- a/pkg/engine/api/context.go
+++ b/pkg/engine/api/context.go
@ -27,6 +27,7 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
 		logger.V(4).Info("evaluated jmespath", "variable name", entry.Name, "jmespath", path)
 	}
 	var defaultValue interface{} = nil
 	if entry.Variable.Default != nil {
 		value, err := variables.DocumentToUntyped(entry.Variable.Default)
 		if err != nil {
@ -58,7 +59,9 @@ func LoadVariable(logger logr.Logger, jp jmespath.Interface, entry kyvernov1.Con
 	} else {
 		if path != "" {
 			if variable, err := ctx.Query(path); err == nil {
-				output = variable
+				if variable != nil {
 					output = variable
 				}
 			} else if defaultValue == nil {
 				return fmt.Errorf("failed to apply jmespath %s to variable %v", path, err)
 			}
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/00-policy.yaml
@ -0,0 +1,6 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - policy.yaml
 assert:
 - policy-assert.yaml
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/01-pod.yaml
@ -0,0 +1,7 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 apply:
 - file: pod.yaml
  shouldFail: false
 assert:
 - pod-assert.yaml
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/README.md
@ -0,0 +1,11 @@
 ## Description
 This test checks that the `default` field in a context variable should replace nil results in mutateExisting policies.
 ## Expected Behavior
 With the mutateExisting policy, the context variable `podName` will assume the value of `empty` since there is no pod whose name is starting with `good-`, and the pod should get created as preconditions matching as the value of the variable is set to default which is `empty` is equal to  `empty`.
 ## Reference Issue(s)
 https://github.com/kyverno/kyverno/issues/7148
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod-assert.yaml
@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: 'bad-box'
  labels:
    foo: bar
 spec:
  automountServiceAccountToken: false
  containers:
  - name: busybox
    image: busybox:latest
    command: ["sleep", "9999"]
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/pod.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: 'bad-box'
 spec:
  automountServiceAccountToken: false
  containers:
  - name: busybox
    image: busybox:latest
    command: ["sleep", "9999"]
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy-assert.yaml
@ -0,0 +1,9 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: pod-add-labels
 status:
  conditions:
  - reason: Succeeded
    status: "True"
    type: Ready
--- a/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml
+++ b/test/conformance/kuttl/mutate/clusterpolicy/cornercases/mutate-using-default-context/policy.yaml
@ -0,0 +1,27 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: pod-add-labels
 spec:
  rules:
  - name: foo
    match:
      any:
      - resources:
          kinds:
          - Pod
    context:
    - name: podName
      variable:
        jmesPath: request.object.metadata.name[?starts_with(@, 'good-')] | [0]
        default: empty
    preconditions:
     all:
      - key: "{{podName}}"
        operator: Equals
        value: empty
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            +(foo): bar