Fix :variables are not getting processed in validation message for "anyPattern" (#9713)

* Update validate_resource.go Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Create pod.yaml Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Create chainsaw-test.yaml Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Create policy.yaml Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update validate_resource.go Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * test Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * test Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * test Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * test Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update chainsaw-test.yaml Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Create README.md Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/README.md Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/README.md Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> * Update test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/README.md Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com> Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> --------- Signed-off-by: mohamedasifs123 <142201466+mohamedasifs123@users.noreply.github.com> Co-authored-by: Mariam Fahmy <mariamfahmy66@gmail.com>
2025-03-05 07:26:55 +00:00 · 2024-02-21 12:50:43 +05:30 · 2024-02-21 12:50:43 +05:30 · d566e9886c
commit d566e9886c
parent 66f54d8fd6
6 changed files with 128 additions and 8 deletions
--- a/pkg/engine/handlers/validation/validate_resource.go
+++ b/pkg/engine/handlers/validation/validate_resource.go
@ -389,7 +389,7 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *engine
 			}

 			v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", v.rule.Name, errorStr))
-			msg := buildAnyPatternErrorMessage(v.rule, errorStr)
+			msg := v.buildAnyPatternErrorMessage(errorStr)
 			return engineapi.RuleFail(v.rule.Name, engineapi.Validation, msg)
 		}
 	}
@ -440,17 +440,22 @@ func (v *validator) buildErrorMessage(err error, path string) string {
 	}
 }

-func buildAnyPatternErrorMessage(rule kyvernov1.Rule, errors []string) string {
+func (v *validator) buildAnyPatternErrorMessage(errors []string) string {
 	errStr := strings.Join(errors, " ")
-	if rule.Validation.Message == "" {
+	if v.rule.Validation.Message == "" {
 		return fmt.Sprintf("validation error: %s", errStr)
 	}
-
-	if strings.HasSuffix(rule.Validation.Message, ".") {
-		return fmt.Sprintf("validation error: %s %s", rule.Validation.Message, errStr)
+	msgRaw, sErr := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), v.rule.Validation.Message)
+	if sErr != nil {
+		v.log.V(2).Info("failed to substitute variables in message", "error", sErr)
+		return fmt.Sprintf("validation error: variables substitution error in rule %s execution error: %s", v.rule.Name, errStr)
+	} else {
+		msg := msgRaw.(string)
+		if strings.HasSuffix(msg, ".") {
+			return fmt.Sprintf("validation error: %s %s", msg, errStr)
+		}
+		return fmt.Sprintf("validation error: %s. %s", msg, errStr)
 	}
-
-	return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr)
 }

 func (v *validator) substitutePatterns() error {
--- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/README.md
+++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/README.md
@ -0,0 +1,11 @@
+## Description
+
+This test ensures that variables are substituted correctly in the validation messages for `anyPattern`.
+
+## Expected Behavior
+
+The variable `allowedUIDs` will be successfully substituted by `9999 | 4000` in the validation message.
+
+## Reference Issue(s)
+
+#8095 
--- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/chainsaw-test.yaml
@ -0,0 +1,33 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: variable-substitution-failure-messages
+spec:
+  steps:
+  - name: step-01 
+    try: 
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml    
+  - name: step-02  
+    try:  
+    - script:  
+        content: kubectl apply -f pod.yaml  
+        check:  
+          ($error != null): true
+          # This check ensures the contents of stderr are exactly as shown.  
+          ($stderr): |-
+            Error from server: error when creating "pod.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: 
+
+            resource Pod/default/ba was blocked due to the following policies 
+
+            uid-groups-fsgroup-validate:
+              check-runasuser: 'validation error: Running with specific user IDs 9999 | 4000.
+                The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
+                spec.initContainers[*].securityContext.runAsGroup, and spec.ephemeralContainers[*].securityContext.runAsGroup
+                must be set to one of the 9999 | 4000 values. rule check-runasuser[0] failed at
+                path /spec/containers/0/securityContext/runAsUser/ rule check-runasuser[1] failed
+                at path /spec/containers/0/securityContext/runAsUser/'
+       
--- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/pod.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/pod.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ba
+  labels:
+    app: nginx-users
+spec:
+  securityContext:
+    runAsUser: 115
+  containers:
+    - name: notnginx
+      image: nothingherenginx
+      securityContext:
+        runAsUser: 250
--- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy-assert.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy-assert.yaml
@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: uid-groups-fsgroup-validate
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
--- a/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml
+++ b/test/conformance/chainsaw/validate/clusterpolicy/cornercases/variable-substitution-failure-messages/policy.yaml
@ -0,0 +1,48 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: uid-groups-fsgroup-validate
+spec:
+  validationFailureAction: enforce
+  background: true
+  rules:
+    - name: check-runasuser
+      context:
+      - name: allowedUIDs
+        variable:
+          value: "9999 | 4000"
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      validate:
+        message: >-
+          Running with specific user IDs {{ allowedUIDs }}. The fields
+          spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup,
+          spec.initContainers[*].securityContext.runAsGroup, and
+          spec.ephemeralContainers[*].securityContext.runAsGroup must be
+          set to one of the {{ allowedUIDs }} values.
+        anyPattern:
+        - spec:
+            securityContext:
+              runAsUser: "{{ allowedUIDs }}"
+            =(ephemeralContainers):
+              - =(securityContext):
+                  =(runAsUser): "{{ allowedUIDs }}"
+            =(initContainers):
+              - =(securityContext):
+                  =(runAsUser):  "{{ allowedUIDs }}"
+            containers:
+              - =(securityContext):
+                  =(runAsUser): "{{ allowedUIDs }}"
+        - spec:
+            =(ephemeralContainers):
+              - securityContext:
+                  runAsUser: "{{ allowedUIDs }}"
+            =(initContainers):
+              - securityContext:
+                  runAsUser: "{{ allowedUIDs }}"
+            containers:
+              - securityContext:
+                  runAsUser: "{{ allowedUIDs }}"