added tests for validate foreach with 0 elements (#9459)

* added tests for validate foreach with 0 doesn't skip Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> * fix Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> --------- Signed-off-by: Pushkar Mishra <pushkarmishra029@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-04-08 18:15:48 +00:00 · 2024-01-29 19:34:41 +05:30 · 2024-01-29 19:34:41 +05:30 · e6d438289e
commit e6d438289e
parent 3234d0c1df
1 changed files with 87 additions and 0 deletions
--- a/pkg/engine/validation_test.go
+++ b/pkg/engine/validation_test.go
@ -668,6 +668,93 @@ func TestValidate_anchor_map_notfound(t *testing.T) {
 	assert.Assert(t, er.IsSuccessful())
 }

+func TestValidate_foreach_zero_reported_asskip(t *testing.T) {
+	rawPolicy := []byte(`
+	{
+		"apiVersion": "kyverno.io/v1",
+		"kind": "ClusterPolicy",
+		"metadata": {
+			"name": "check-sa-tokens",
+			"annotations": {
+				"pod-policies.kyverno.io/autogen-controllers": "none"
+			}
+		},
+		"spec": {
+			"validationFailureAction": "Enforce",
+			"background": true,
+			"rules": [
+				{
+					"name": "check-token-exp",
+					"match": {
+						"resources": {
+							"kinds": ["Pod"]
+						}
+					},
+					"validate": {
+						"foreach": [
+							{
+								"list": "request.object.spec.volumes[].projected.sources[].serviceAccountToken.expirationSeconds",
+								"deny": {
+									"conditions": {
+										"any": [
+											{
+												"key": "{{ element }}",
+												"operator": "GreaterThan",
+												"value": 3600,
+												"message": "expirationSeconds must be less than 1 hour"
+											}
+										]
+									}
+								}
+							}
+						]
+					}
+				}
+			]
+		}
+	}
+`)
+
+	rawResource := []byte(`
+	{
+		"apiVersion": "v1",
+		"kind": "Pod",
+		"metadata": {
+			"name": "my-pod"
+		},
+		"spec": {
+			"containers": [
+				{
+					"name": "nginx",
+					"image": "nginx",
+					"volumeMounts": [
+						{
+							"mountPath": "/var/run/secrets/tokens",
+							"name": "my-proj-vol"
+						}
+					]
+				}
+			],
+			"serviceAccountName": "my-service-account"
+		}
+	}	
+`)
+
+	var policy kyvernov1.ClusterPolicy
+	err := json.Unmarshal(rawPolicy, &policy)
+	assert.NilError(t, err)
+
+	resourceUnstructured, err := kubeutils.BytesToUnstructured(rawResource)
+	assert.NilError(t, err)
+	er := testValidate(context.TODO(), registryclient.NewOrDie(), newPolicyContext(t, *resourceUnstructured, kyvernov1.Create, nil).WithPolicy(&policy), cfg, nil)
+	msgs := []string{"validation rule 'check-token-exp' passed."}
+
+	for index, r := range er.PolicyResponse.Rules {
+		assert.Equal(t, r.Message(), msgs[index])
+	}
+	assert.Assert(t, er.IsSuccessful())
+}
+
 func TestValidate_anchor_map_found_valid(t *testing.T) {
 	// anchor not present in resource
 	rawPolicy := []byte(`{