diff --git a/pkg/engine/handlers/validation/validate_cel.go b/pkg/engine/handlers/validation/validate_cel.go index aac07dca10..aec490062d 100644 --- a/pkg/engine/handlers/validation/validate_cel.go +++ b/pkg/engine/handlers/validation/validate_cel.go @@ -130,12 +130,20 @@ func (h validateCELHandler) Process( if gvk.Kind == "Namespace" && gvk.Version == "v1" && gvk.Group == "" { namespaceName = "" } - if namespaceName != "" && h.client != nil { - namespace, err = h.client.GetNamespace(ctx, namespaceName, metav1.GetOptions{}) - if err != nil { - return resource, handlers.WithResponses( - engineapi.RuleError(rule.Name, engineapi.Validation, "Error getting the resource's namespace", err), - ) + if namespaceName != "" { + if h.client != nil { + namespace, err = h.client.GetNamespace(ctx, namespaceName, metav1.GetOptions{}) + if err != nil { + return resource, handlers.WithResponses( + engineapi.RuleError(rule.Name, engineapi.Validation, "Error getting the resource's namespace", err), + ) + } + } else { + namespace = &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: namespaceName, + }, + } } } diff --git a/test/cli/test/check-deployment-namespace-cel/kyverno-test.yaml b/test/cli/test/check-deployment-namespace-cel/kyverno-test.yaml new file mode 100644 index 0000000000..768a43e32b --- /dev/null +++ b/test/cli/test/check-deployment-namespace-cel/kyverno-test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: kyverno-test.yaml +policies: +- policy.yaml +resources: +- resources.yaml +results: +- kind: Deployment + policy: disallow-default-namespace + resources: + - bad-deployment + result: fail + rule: validate-deployment-namespace +- kind: Deployment + policy: disallow-default-namespace + resources: + - good-deployment + result: pass + rule: validate-deployment-namespace diff --git a/test/cli/test/check-deployment-namespace-cel/policy.yaml b/test/cli/test/check-deployment-namespace-cel/policy.yaml new file mode 100644 index 0000000000..d50a913abd --- /dev/null +++ b/test/cli/test/check-deployment-namespace-cel/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: disallow-default-namespace +spec: + validationFailureAction: Audit + background: true + rules: + - name: validate-deployment-namespace + match: + any: + - resources: + kinds: + - Deployment + validate: + cel: + expressions: + - expression: "namespaceObject.metadata.name != 'default'" + message: "Using 'default' namespace is not allowed for deployments." diff --git a/test/cli/test/check-deployment-namespace-cel/resources.yaml b/test/cli/test/check-deployment-namespace-cel/resources.yaml new file mode 100644 index 0000000000..6a0dc66170 --- /dev/null +++ b/test/cli/test/check-deployment-namespace-cel/resources.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + namespace: default + labels: + app: busybox +spec: + replicas: 2 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:latest +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + namespace: staging + labels: + app: busybox +spec: + replicas: 2 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:latest