From d03ad5deb189b886c3e814cde8d16d352e6feda1 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 3 Feb 2023 23:22:11 +0800 Subject: [PATCH] fix ns selector (#6216) Signed-off-by: ShutingZhao --- .../resource/validation/validation.go | 8 ++-- .../namespaceselector/01-policy.yaml | 6 +++ .../admission/namespaceselector/02-pod.yaml | 6 +++ .../namespaceselector/03-report.yaml | 6 +++ .../admission/namespaceselector/README.md | 8 ++++ .../admission/namespaceselector/pods.yaml | 19 ++++++++++ .../namespaceselector/policy-assert.yaml | 9 +++++ .../admission/namespaceselector/policy.yaml | 38 +++++++++++++++++++ .../namespaceselector/report-expected.yaml | 14 +++++++ .../namespaceselector/report-unexpected.yaml | 5 +++ 10 files changed, 116 insertions(+), 3 deletions(-) create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/01-policy.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/02-pod.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/03-report.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/README.md create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/pods.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/policy-assert.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/policy.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/report-expected.yaml create mode 100644 test/conformance/kuttl/reports/admission/namespaceselector/report-unexpected.yaml diff --git a/pkg/webhooks/resource/validation/validation.go b/pkg/webhooks/resource/validation/validation.go index 6e74c6b642..c923bce037 100644 --- a/pkg/webhooks/resource/validation/validation.go +++ b/pkg/webhooks/resource/validation/validation.go @@ -140,7 +140,7 @@ func (v *validationHandler) HandleValidation( return false, webhookutils.GetBlockedMessages(engineResponses), nil } - go v.handleAudit(ctx, policyContext.NewResource(), request, engineResponses...) + go v.handleAudit(ctx, policyContext.NewResource(), request, policyContext.NamespaceLabels(), engineResponses...) warnings := webhookutils.GetWarningMessages(engineResponses) return true, "", warnings @@ -150,6 +150,7 @@ func (v *validationHandler) buildAuditResponses( ctx context.Context, resource unstructured.Unstructured, request *admissionv1.AdmissionRequest, + namespaceLabels map[string]string, ) ([]*engineapi.EngineResponse, error) { policies := v.pCache.GetPolicies(policycache.ValidateAudit, request.Kind.Kind, request.Namespace) policyContext, err := v.pcBuilder.Build(request) @@ -163,7 +164,7 @@ func (v *validationHandler) buildAuditResponses( "pkg/webhooks/resource/validate", fmt.Sprintf("POLICY %s/%s", policy.GetNamespace(), policy.GetName()), func(ctx context.Context, span trace.Span) { - policyContext := policyContext.WithPolicy(policy) + policyContext := policyContext.WithPolicy(policy).WithNamespaceLabels(namespaceLabels) responses = append(responses, v.engine.Validate(ctx, policyContext)) }, ) @@ -175,6 +176,7 @@ func (v *validationHandler) handleAudit( ctx context.Context, resource unstructured.Unstructured, request *admissionv1.AdmissionRequest, + namespaceLabels map[string]string, engineResponses ...*engineapi.EngineResponse, ) { if !v.admissionReports { @@ -196,7 +198,7 @@ func (v *validationHandler) handleAudit( "", fmt.Sprintf("AUDIT %s %s", request.Operation, request.Kind), func(ctx context.Context, span trace.Span) { - responses, err := v.buildAuditResponses(ctx, resource, request) + responses, err := v.buildAuditResponses(ctx, resource, request, namespaceLabels) if err != nil { v.log.Error(err, "failed to build audit responses") } diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/01-policy.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/01-policy.yaml new file mode 100644 index 0000000000..b088ed7601 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/01-policy.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- policy.yaml +assert: +- policy-assert.yaml diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/02-pod.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/02-pod.yaml new file mode 100644 index 0000000000..217f5f5e94 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/02-pod.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: +- file: pods.yaml +assert: +- pods.yaml diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/03-report.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/03-report.yaml new file mode 100644 index 0000000000..50645a20cc --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/03-report.yaml @@ -0,0 +1,6 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +assert: +- report-expected.yaml +error: +- report-unexpected.yaml diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/README.md b/test/conformance/kuttl/reports/admission/namespaceselector/README.md new file mode 100644 index 0000000000..7f4781ff0a --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/README.md @@ -0,0 +1,8 @@ +## Description + +This test validate the reporting ability for a audit policy with the `namespaceSelector` defined. + +## Expected Behavior + +A policy report should be created for the pod `test-audit-reports-namespacesselector/audit-pod`, but not for `test-non-audit-reports-namespacesselector/non-audit-pod` as the namespace selector doesn't match. + diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/pods.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/pods.yaml new file mode 100644 index 0000000000..aed13ee341 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/pods.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: audit-pod + namespace: test-audit-reports-namespacesselector +spec: + containers: + - image: nginx:latest + name: audit-pod +--- +apiVersion: v1 +kind: Pod +metadata: + name: non-audit-pod + namespace: test-non-audit-reports-namespacesselector +spec: + containers: + - image: nginx:latest + name: non-audit-pod diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/policy-assert.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/policy-assert.yaml new file mode 100644 index 0000000000..203bc8ee93 --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-audit-reports-namespacesselector +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/policy.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/policy.yaml new file mode 100644 index 0000000000..16f853fdeb --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/policy.yaml @@ -0,0 +1,38 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: test-audit-reports-namespacesselector + annotations: + pod-policies.kyverno.io/autogen-controllers: none +spec: + background: false + mutateExistingOnPolicyUpdate: false + validationFailureAction: Audit + rules: + - name: test-audit-reports-namespacesselector + match: + any: + - resources: + kinds: + - Pod + namespaceSelector: + matchExpressions: + - key: org + operator: Exists + validate: + pattern: + metadata: + annotations: + validate: namespaceselector +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + org: kyverno-test + name: test-audit-reports-namespacesselector +--- +apiVersion: v1 +kind: Namespace +metadata: + name: test-non-audit-reports-namespacesselector diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/report-expected.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/report-expected.yaml new file mode 100644 index 0000000000..f61e29d92a --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/report-expected.yaml @@ -0,0 +1,14 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + name: cpol-test-audit-reports-namespacesselector + namespace: test-audit-reports-namespacesselector +results: +- policy: test-audit-reports-namespacesselector + resources: + - apiVersion: v1 + kind: Pod + name: audit-pod + namespace: test-audit-reports-namespacesselector + result: fail + rule: test-audit-reports-namespacesselector diff --git a/test/conformance/kuttl/reports/admission/namespaceselector/report-unexpected.yaml b/test/conformance/kuttl/reports/admission/namespaceselector/report-unexpected.yaml new file mode 100644 index 0000000000..aa9bf047ae --- /dev/null +++ b/test/conformance/kuttl/reports/admission/namespaceselector/report-unexpected.yaml @@ -0,0 +1,5 @@ +apiVersion: wgpolicyk8s.io/v1alpha2 +kind: PolicyReport +metadata: + name: cpol-test-audit-reports-namespacesselector + namespace: test-non-nonaudit-reports-namespacesselector