fix the bugs and add pre-condition checks (#606)

* fix the bugs and add pre-condition checks * add precondition documentation
2025-03-28 02:18:15 +00:00 · 2020-01-13 11:21:14 -08:00 · 2020-01-13 11:21:14 -08:00 · dabe592d46
commit dabe592d46
parent bd538e51bc
3 changed files with 51 additions and 2 deletions
--- a/documentation/writing-policies.md
+++ b/documentation/writing-policies.md
@ -98,7 +98,6 @@ Example  userName=`system:serviceaccount:nirmata:user1` will store variable valu
 - `serviceAccountNamespace` : extracts the `namespace` of the serviceAccount. 
 Example  userName=`system:serviceaccount:nirmata:user1` will store variable value as `nirmata`.

-
 Examples:

 1. Refer to resource name(type string)
@ -113,5 +112,24 @@ Examples:

 `{{request.object.metadata}}`

+# PreConditions:
+Apart from using `match` & `exclude` conditions on resource to filter which resources to apply the rule on, `preconditions` can be used to define custom filters.
+```yaml
+  - name: generate-owner-role
+    match:
+      resources:
+        kinds:
+        - Namespace
+    preconditions:
+    - key: "{{request.userInfo.username}}"
+      operator: NotEqual
+      value: ""
+```
+In the above example, if the variable `{{request.userInfo.username}}` is blank then we dont apply the rule on resource.
+
+Operators supported:
+- Equal
+- NotEqual
+
 ---
 <small>*Read Next >> [Validate](/documentation/writing-policies-validate.md)*</small>
--- a/pkg/webhooks/generation.go
+++ b/pkg/webhooks/generation.go
@ -33,7 +33,7 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic
 	// build context
 	ctx := context.NewContext()
 	// load incoming resource into the context
-	// ctx.AddResource(request.Object.Raw)
+	ctx.AddResource(request.Object.Raw)
 	ctx.AddUserInfo(userRequestInfo)
 	// load service account in context
 	ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username)
--- a/test/policy/generate/variable.yaml
+++ b/test/policy/generate/variable.yaml
@ -6,12 +6,23 @@ metadata:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: Create roles and role bindings for a new namespace
 spec:
+  background: false
  rules:
  - name: generate-owner-role
    match:
      resources:
        kinds:
        - Namespace
+    preconditions:
+    - key: "{{request.userInfo.username}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountName}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountNamespace}}"
+      operator: NotEqual
+      value: ""
    generate:
      kind: ClusterRole
      name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}"
@ -30,6 +41,16 @@ spec:
      resources:
        kinds:
        - Namespace
+    preconditions:
+    - key: "{{request.userInfo.username}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountName}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountNamespace}}"
+      operator: NotEqual
+      value: ""
    generate:
      kind: ClusterRoleBinding
      name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding"
@ -51,6 +72,16 @@ spec:
      resources:
        kinds:
        - Namespace
+    preconditions:
+    - key: "{{request.userInfo.username}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountName}}"
+      operator: NotEqual
+      value: ""
+    - key: "{{serviceAccountNamespace}}"
+      operator: NotEqual
+      value: ""
    generate:
      kind: RoleBinding
      name: "ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding"