mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-28 02:18:15 +00:00
add mutate.targets validations (#6693)
Signed-off-by: ShutingZhao <shuting@nirmata.com>
This commit is contained in:
shuting
GitHub
parent
81ec6c96a1
commit
e3902d117e
6 changed files with 90 additions and 2 deletions
|
|
@ -271,16 +271,33 @@ func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace
|
|||
return errs
|
||||
}
|
||||
|
||||
func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
|
||||
func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
|
||||
if s.GenerateExistingOnPolicyUpdate != nil {
|
||||
errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "deprecated field, define generateExisting instead"))
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
func (s *Spec) validateMutateTargets(path *field.Path) (errs field.ErrorList) {
|
||||
if s.MutateExistingOnPolicyUpdate {
|
||||
for i, rule := range s.Rules {
|
||||
if !rule.HasMutate() {
|
||||
continue
|
||||
}
|
||||
if len(rule.Mutation.Targets) == 0 {
|
||||
errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), fmt.Sprintf("rules[%v].mutate.targets has to be specified when mutateExistingOnPolicyUpdate is set", i)))
|
||||
}
|
||||
}
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// Validate implements programmatic validation
|
||||
func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
|
||||
if err := s.ValidateDeprecatedFields(path); err != nil {
|
||||
if err := s.validateDeprecatedFields(path); err != nil {
|
||||
errs = append(errs, err...)
|
||||
}
|
||||
if err := s.validateMutateTargets(path); err != nil {
|
||||
errs = append(errs, err...)
|
||||
}
|
||||
errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: policy-no-targets.yaml
|
||||
shouldFail: true
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kuttl.dev/v1beta1
|
||||
kind: TestStep
|
||||
apply:
|
||||
- file: policy-targets.yaml
|
||||
shouldFail: false
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
## Description
|
||||
|
||||
This test ensures that a mutate existing policy has to have `mutate.targets` defined if `mutateExistingOnPolicyUpdate` is true.
|
||||
|
||||
## Expected Behavior
|
||||
|
||||
With `mutateExistingOnPolicyUpdate` set to true, the policy should be rejected if the `mutate.targets` is not defined, and allowed if `mutate.targets` is specified.
|
||||
|
||||
|
||||
## Reference Issue(s)
|
||||
|
||||
https://github.com/kyverno/kyverno/issues/6593
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-existing-require-targets-policy-no-targets
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: mutate-secret-on-configmap-create
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-1
|
||||
namespaces:
|
||||
- staging
|
||||
mutate:
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
apiVersion: kyverno.io/v1
|
||||
kind: ClusterPolicy
|
||||
metadata:
|
||||
name: mutate-existing-require-targets-policy-targets
|
||||
spec:
|
||||
mutateExistingOnPolicyUpdate: true
|
||||
rules:
|
||||
- name: mutate-secret-on-configmap-create
|
||||
match:
|
||||
any:
|
||||
- resources:
|
||||
kinds:
|
||||
- ConfigMap
|
||||
names:
|
||||
- dictionary-1
|
||||
namespaces:
|
||||
- staging
|
||||
mutate:
|
||||
targets:
|
||||
- apiVersion: v1
|
||||
kind: Secret
|
||||
name: secret-1
|
||||
namespace: "{{ request.object.metadata.namespace }}"
|
||||
patchStrategicMerge:
|
||||
metadata:
|
||||
labels:
|
||||
foo: bar
|
||||
Loading…
Add table
Reference in a new issue