mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
fix(anchor): skip anchors don't have priority (#10206)
* fix(anchor): give priority to skip anchors Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * test(anchor): conditional anchor with a failing sibling Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * test(anchor): conditional anchor mixed with other results Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(anchor): successful anchor with a skip anchor Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> --------- Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
parent
57b2c5fe4f
commit
ed4eb9666a
2 changed files with 106 additions and 6 deletions
|
@ -145,17 +145,45 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
return handlerPath, err
|
skipSiblingExists := false
|
||||||
|
for _, skipError := range skipErrors {
|
||||||
|
if _, ok := skipError.(*PatternError); !ok {
|
||||||
|
skipSiblingExists = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if !skipSiblingExists {
|
||||||
|
return handlerPath, err
|
||||||
|
} else {
|
||||||
|
continue
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
applyCount++
|
applyCount++
|
||||||
}
|
}
|
||||||
|
|
||||||
if applyCount == 0 && len(skipErrors) > 0 {
|
if len(skipErrors) > 0 {
|
||||||
return path, &PatternError{
|
if applyCount == 0 {
|
||||||
Err: multierr.Combine(skipErrors...),
|
return path, &PatternError{
|
||||||
Path: path,
|
Err: multierr.Combine(skipErrors...),
|
||||||
Skip: true,
|
Path: path,
|
||||||
|
Skip: true,
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
skipSiblingExists := false
|
||||||
|
for _, skipError := range skipErrors {
|
||||||
|
if _, ok := skipError.(*PatternError); !ok {
|
||||||
|
skipSiblingExists = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if skipSiblingExists {
|
||||||
|
return path, &PatternError{
|
||||||
|
Err: multierr.Combine(skipErrors...),
|
||||||
|
Path: path,
|
||||||
|
Skip: true,
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1615,6 +1615,78 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) {
|
||||||
resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
|
resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
|
||||||
status: engineapi.RuleStatusFail,
|
status: engineapi.RuleStatusFail,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "test-43",
|
||||||
|
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!cache-volume","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
|
||||||
|
status: engineapi.RuleStatusSkip,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-44",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 1000}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-45",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
|
||||||
|
status: engineapi.RuleStatusFail,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-46",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-47",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 1000}}], "containers": [{"securityContext": {"runAsUser": 0}}]}}`),
|
||||||
|
status: engineapi.RuleStatusFail,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-48",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-49",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 0}}]}}`),
|
||||||
|
status: engineapi.RuleStatusFail,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-50",
|
||||||
|
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-51",
|
||||||
|
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"volumes": [{"name": "credential-socket","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
|
||||||
|
status: engineapi.RuleStatusSkip,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-52",
|
||||||
|
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-53",
|
||||||
|
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume"}]}}`),
|
||||||
|
status: engineapi.RuleStatusPass,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "test-54",
|
||||||
|
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
|
||||||
|
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
|
||||||
|
status: engineapi.RuleStatusFail,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, testCase := range testCases {
|
for _, testCase := range testCases {
|
||||||
|
|
Loading…
Add table
Reference in a new issue