Fix label mutation while updating the secret (#3273)

* Fix label mutation while updating the secret * Update util.go * fix converter issue * code indentation
2025-03-29 10:55:05 +00:00 · 2022-02-22 17:19:03 +05:30 · 2022-02-22 17:19:03 +05:30 · e8bf16a00b
commit e8bf16a00b
parent c13aeca7fa
8 changed files with 127 additions and 0 deletions
--- a/pkg/utils/util.go
+++ b/pkg/utils/util.go
@ -7,6 +7,7 @@ import (
 	"strconv"

 	kyverno "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/pkg/errors"
 	"sigs.k8s.io/controller-runtime/pkg/log"

 	"github.com/go-logr/logr"
@ -15,6 +16,7 @@ import (
 	engineutils "github.com/kyverno/kyverno/pkg/engine/utils"
 	"github.com/minio/pkg/wildcard"
 	"k8s.io/api/admission/v1beta1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@ -149,6 +151,44 @@ func ConvertResource(raw []byte, group, version, kind, namespace string) (unstru
 	return *obj, nil
 }

+func NormalizeSecret(resource *unstructured.Unstructured) (unstructured.Unstructured, error) {
+	var secret corev1.Secret
+	data, err := json.Marshal(resource.Object)
+	if err != nil {
+		return *resource, err
+	}
+	err = json.Unmarshal(data, &secret)
+	if err != nil {
+		return *resource, errors.Wrap(err, "object unable to convert to secret")
+	}
+	for k, v := range secret.Data {
+		if len(v) == 0 {
+			secret.Data[k] = []byte("")
+		}
+	}
+	updateSecret := map[string]interface{}{}
+	raw, err := json.Marshal(&secret)
+	if err != nil {
+		return *resource, nil
+	}
+
+	err = json.Unmarshal(raw, &updateSecret)
+	if err != nil {
+		return *resource, nil
+	}
+
+	if err != nil {
+		return *resource, errors.Wrap(err, "object unable to convert from secret")
+	}
+	if secret.Data != nil {
+		err = unstructured.SetNestedMap(resource.Object, updateSecret["data"].(map[string]interface{}), "data")
+		if err != nil {
+			return *resource, errors.Wrap(err, "failed to set secret.data")
+		}
+	}
+	return *resource, nil
+}
+
 // HigherThanKubernetesVersion compare Kubernetes client version to user given version
 func HigherThanKubernetesVersion(client *client.Client, log logr.Logger, major, minor, patch int) bool {
 	logger := log.WithName("CompareKubernetesVersion")
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -374,6 +374,13 @@ func (ws *WebhookServer) buildPolicyContext(request *v1beta1.AdmissionRequest, a
 		return nil, errors.Wrap(err, "failed to add image information to the policy rule context")
 	}

+	if request.Kind.Kind == "Secret" && request.Operation == v1beta1.Update {
+		resource, err = utils.NormalizeSecret(&resource)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to convert secret to unstructured format")
+		}
+	}
+
 	policyContext := &engine.PolicyContext{
 		NewResource:         resource,
 		AdmissionInfo:       userRequestInfo,
--- a/test/cli/test/secret/kyverno-test.yaml
+++ b/test/cli/test/secret/kyverno-test.yaml
@ -0,0 +1,18 @@
+name: add-maintainer
+policies:
+  -  policy.yaml
+resources:
+  -  resources.yaml
+results:
+  - policy: add-maintainer
+    rule: add-maintainer
+    resource: example
+    patchedResource: patched-resource.yaml
+    kind: Secret
+    result: pass
+  - policy: add-maintainer
+    rule: add-maintainer
+    resource: secrete-fail-example
+    patchedResource: patched-resource1.yaml
+    kind: Secret
+    result: fail
--- a/test/cli/test/secret/patched-resource.yaml
+++ b/test/cli/test/secret/patched-resource.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  foo: AAAA
+  bar: ""
+kind: Secret
+metadata:
+  name: example
+  labels:
+    kyverno.com/maintainer: "test"
+type: Opaque
--- a/test/cli/test/secret/patched-resource1.yaml
+++ b/test/cli/test/secret/patched-resource1.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  foo: AAAA
+kind: Secret
+metadata:
+  name: example1
+type: Opaque
--- a/test/cli/test/secret/policy.yaml
+++ b/test/cli/test/secret/policy.yaml
@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-maintainer
+spec:
+  rules:
+    - match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            labels:
+              kyverno.com/maintainer: 'test'
+      name: add-maintainer
+  validationFailureAction: audit
--- a/test/cli/test/secret/resources.yaml
+++ b/test/cli/test/secret/resources.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+data:
+  foo: AAAA
+  bar: ""
+kind: Secret
+metadata:
+  name: example
+type: Opaque
+
+---
+apiVersion: v1
+data:
+  foo: AAAA
+  bar: ""
+kind: Secret
+metadata:
+  name: secrete-fail-example
+type: Opaque
--- a/test/cli/test/secret/resources2.yaml
+++ b/test/cli/test/secret/resources2.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  foo: AAAA
+  bar: ""
+  faq: BBBB
+kind: Secret
+metadata:
+  name: secrete-fail-example
+type: Opaque