mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-15 20:20:22 +00:00
Code Activity

fix(anchor): skip anchors don't have priority (#10206)

Browse source 
* fix(anchor): give priority to skip anchors

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test(anchor): conditional anchor with a failing sibling

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* test(anchor): conditional anchor mixed with other results

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* fix(anchor): successful anchor with a skip anchor

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Khaled Emara 2024-05-22 12:04:14 +03:00 committed by GitHub
parent 57b2c5fe4f
commit ed4eb9666a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 106 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
pkg/engine/validate/validate.go
View file

@ -145,17 +145,45 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
continue continue
} }
return handlerPath, err skipSiblingExists := false
for _, skipError := range skipErrors {
if _, ok := skipError.(*PatternError); !ok {
skipSiblingExists = true
break
}
}
if !skipSiblingExists {
return handlerPath, err
} else {
continue
}
} }
applyCount++ applyCount++
} }
if applyCount == 0 && len(skipErrors) > 0 { if len(skipErrors) > 0 {
return path, &PatternError{ if applyCount == 0 {
Err: multierr.Combine(skipErrors...), return path, &PatternError{
Path: path, Err: multierr.Combine(skipErrors...),
Skip: true, Path: path,
Skip: true,
}
} else {
skipSiblingExists := false
for _, skipError := range skipErrors {
if _, ok := skipError.(*PatternError); !ok {
skipSiblingExists = true
break
}
}
if skipSiblingExists {
return path, &PatternError{
Err: multierr.Combine(skipErrors...),
Path: path,
Skip: true,
}
}
} }
} }

72
pkg/engine/validate/validate_test.go
View file

@ -1615,6 +1615,78 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) {
resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`), resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
status: engineapi.RuleStatusFail, status: engineapi.RuleStatusFail,
}, },
{
name: "test-43",
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!cache-volume","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
status: engineapi.RuleStatusSkip,
},
{
name: "test-44",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 1000}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-45",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
status: engineapi.RuleStatusFail,
},
{
name: "test-46",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-47",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 1000}}], "containers": [{"securityContext": {"runAsUser": 0}}]}}`),
status: engineapi.RuleStatusFail,
},
{
name: "test-48",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-49",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 0}}]}}`),
status: engineapi.RuleStatusFail,
},
{
name: "test-50",
pattern: []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-51",
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
resource: []byte(`{"spec": {"volumes": [{"name": "credential-socket","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
status: engineapi.RuleStatusSkip,
},
{
name: "test-52",
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-53",
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume"}]}}`),
status: engineapi.RuleStatusPass,
},
{
name: "test-54",
pattern: []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
status: engineapi.RuleStatusFail,
},
} }
for _, testCase := range testCases { for _, testCase := range testCases {