Broken exclude any all (#2990)

* added check for any/all Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * minor corrections Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * corrected return check for rbac info Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> * added cli test Signed-off-by: anushkamittal20 <anumittal4641@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com>
2025-03-05 07:26:55 +00:00 · 2022-01-20 13:59:16 +05:30 · 2022-01-20 13:59:16 +05:30 · df4d7ae26c
commit df4d7ae26c
parent 25722366f0
4 changed files with 57 additions and 1 deletions
--- a/pkg/webhooks/common.go
+++ b/pkg/webhooks/common.go
@ -117,7 +117,9 @@ func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool {
 	for _, policySlice := range policies {
 		for _, policy := range policySlice {
 			for _, rule := range policy.Spec.Rules {
-				checkForRBACInfo(rule)
+				if checkForRBACInfo(rule) {
+					return true
+				}
 			}
 		}
 	}
--- a/test/cli/test-fail/invalid-ns/kyverno-test.yaml
+++ b/test/cli/test-fail/invalid-ns/kyverno-test.yaml
@ -0,0 +1,11 @@
+name: test-exclude
+policies:
+  - policy.yaml
+resources:
+  - resources.yaml
+results:
+  - policy: restrict-labels
+    rule: restrict-labels
+    resource: kyverno-system-tst
+    kind: Namespace
+    result: fail
--- a/test/cli/test-fail/invalid-ns/policy.yaml
+++ b/test/cli/test-fail/invalid-ns/policy.yaml
@ -0,0 +1,35 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-labels
+  labels:
+    policy.schiff.telekom.de: enforced
+  annotations:
+    policies.kyverno.io/title: Restrict Labels on Namespaces
+    policies.kyverno.io/category: Labels
+    policies.kyverno.io/minversion: 1.3.0
+    policies.kyverno.io/description: >-
+      This policy prevents the use of an label beginning with a common
+      key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either
+      don't set reserved labels or to force them to
+      use a newer version of an label.
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: restrict-labels
+    match:
+      resources:
+        kinds:
+        - Namespace
+    exclude:
+      clusterRoles:
+      - cluster-admin
+    validate:
+      message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces'
+      pattern:
+        metadata:
+          labels:
+            platform.das-schiff.telekom.de/owner: "!das-schiff"
+            # For forward compatibility
+            =(schiff.telekom.de/owner): "!schiff"
--- a/test/cli/test-fail/invalid-ns/resources.yaml
+++ b/test/cli/test-fail/invalid-ns/resources.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kyverno-system-tst
+  labels:
+    name: kyverno-system-tst
+    schiff.telekom.de/owner: schiff
+    platform.das-schiff.telekom.de/owner: das-schiff