diff --git a/documentation/writing-policies.md b/documentation/writing-policies.md index 60ccf5beb2..1c0d2bcc4f 100644 --- a/documentation/writing-policies.md +++ b/documentation/writing-policies.md @@ -98,7 +98,6 @@ Example userName=`system:serviceaccount:nirmata:user1` will store variable valu - `serviceAccountNamespace` : extracts the `namespace` of the serviceAccount. Example userName=`system:serviceaccount:nirmata:user1` will store variable value as `nirmata`. - Examples: 1. Refer to resource name(type string) @@ -113,5 +112,24 @@ Examples: `{{request.object.metadata}}` +# PreConditions: +Apart from using `match` & `exclude` conditions on resource to filter which resources to apply the rule on, `preconditions` can be used to define custom filters. +```yaml + - name: generate-owner-role + match: + resources: + kinds: + - Namespace + preconditions: + - key: "{{request.userInfo.username}}" + operator: NotEqual + value: "" +``` +In the above example, if the variable `{{request.userInfo.username}}` is blank then we dont apply the rule on resource. + +Operators supported: +- Equal +- NotEqual + --- *Read Next >> [Validate](/documentation/writing-policies-validate.md)* \ No newline at end of file diff --git a/pkg/webhooks/generation.go b/pkg/webhooks/generation.go index 3929f6e330..9c9e1fa586 100644 --- a/pkg/webhooks/generation.go +++ b/pkg/webhooks/generation.go @@ -33,7 +33,7 @@ func (ws *WebhookServer) HandleGenerate(request *v1beta1.AdmissionRequest, polic // build context ctx := context.NewContext() // load incoming resource into the context - // ctx.AddResource(request.Object.Raw) + ctx.AddResource(request.Object.Raw) ctx.AddUserInfo(userRequestInfo) // load service account in context ctx.AddSA(userRequestInfo.AdmissionUserInfo.Username) diff --git a/test/policy/generate/variable.yaml b/test/policy/generate/variable.yaml index 41255b0a10..d35597121b 100644 --- a/test/policy/generate/variable.yaml +++ b/test/policy/generate/variable.yaml @@ -6,12 +6,23 @@ metadata: policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: Create roles and role bindings for a new namespace spec: + background: false rules: - name: generate-owner-role match: resources: kinds: - Namespace + preconditions: + - key: "{{request.userInfo.username}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountName}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountNamespace}}" + operator: NotEqual + value: "" generate: kind: ClusterRole name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}" @@ -30,6 +41,16 @@ spec: resources: kinds: - Namespace + preconditions: + - key: "{{request.userInfo.username}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountName}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountNamespace}}" + operator: NotEqual + value: "" generate: kind: ClusterRoleBinding name: "ns-owner-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding" @@ -51,6 +72,16 @@ spec: resources: kinds: - Namespace + preconditions: + - key: "{{request.userInfo.username}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountName}}" + operator: NotEqual + value: "" + - key: "{{serviceAccountNamespace}}" + operator: NotEqual + value: "" generate: kind: RoleBinding name: "ns-admin-{{request.object.metadata.name}}-{{request.userInfo.username}}-binding"