fix: Overridden request.operation is not considered by match/exclude with operations (#8361)

* fix: verifyImages w/ multiple entries is not consistent Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * clean Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: Kyverno apply produces false positives when validating 'empty dangling' tags Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: Overridden request.operation is not considered by match/exclude with operations Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-28 18:38:40 +00:00 · 2023-09-12 20:56:31 +02:00 · 2023-09-12 20:56:31 +02:00 · e3188fca8c
commit e3188fca8c
parent 954415a311
1 changed files with 7 additions and 1 deletions
--- a/cmd/cli/kubectl-kyverno/processor/policy_processor.go
+++ b/cmd/cli/kubectl-kyverno/processor/policy_processor.go
@ -204,8 +204,11 @@ func (p *PolicyProcessor) makePolicyContext(
 		}
 		resourceValues = vals
 	}
-	if resourceValues["request.operation"] == "DELETE" {
+	switch resourceValues["request.operation"] {
+	case "DELETE":
 		operation = kyvernov1.Delete
+	case "UPDATE":
+		operation = kyvernov1.Update
 	}
 	policyContext, err := engine.NewPolicyContext(
 		jp,
@ -217,6 +220,9 @@ func (p *PolicyProcessor) makePolicyContext(
 	if err != nil {
 		log.Log.Error(err, "failed to create policy context")
 	}
+	if operation == kyvernov1.Update {
+		policyContext = policyContext.WithOldResource(resource)
+	}
 	policyContext = policyContext.
 		WithPolicy(policy).
 		WithNamespaceLabels(namespaceLabels).