fix(anchor): skip anchors don't have priority (#10206)

* fix(anchor): give priority to skip anchors Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * test(anchor): conditional anchor with a failing sibling Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * test(anchor): conditional anchor mixed with other results Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> * fix(anchor): successful anchor with a skip anchor Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> --------- Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-05-22 12:04:14 +03:00 · 2024-05-22 12:04:14 +03:00 · ed4eb9666a
commit ed4eb9666a
parent 57b2c5fe4f
2 changed files with 106 additions and 6 deletions
--- a/pkg/engine/validate/validate.go
+++ b/pkg/engine/validate/validate.go
@ -145,18 +145,46 @@ func validateMap(log logr.Logger, resourceMap, patternMap map[string]interface{}
 				continue
 			}

+			skipSiblingExists := false
+			for _, skipError := range skipErrors {
+				if _, ok := skipError.(*PatternError); !ok {
+					skipSiblingExists = true
+					break
+				}
+			}
+			if !skipSiblingExists {
 				return handlerPath, err
+			} else {
+				continue
+			}
 		}

 		applyCount++
 	}

-	if applyCount == 0 && len(skipErrors) > 0 {
+	if len(skipErrors) > 0 {
+		if applyCount == 0 {
 			return path, &PatternError{
 				Err:  multierr.Combine(skipErrors...),
 				Path: path,
 				Skip: true,
 			}
+		} else {
+			skipSiblingExists := false
+			for _, skipError := range skipErrors {
+				if _, ok := skipError.(*PatternError); !ok {
+					skipSiblingExists = true
+					break
+				}
+			}
+			if skipSiblingExists {
+				return path, &PatternError{
+					Err:  multierr.Combine(skipErrors...),
+					Path: path,
+					Skip: true,
+				}
+			}
+		}
 	}

 	// Evaluate resources
--- a/pkg/engine/validate/validate_test.go
+++ b/pkg/engine/validate/validate_test.go
@ -1615,6 +1615,78 @@ func TestConditionalAnchorWithMultiplePatterns(t *testing.T) {
 			resource: []byte(`{"metadata": {"labels": {"run": "nginx"},"name": "nginx"},"spec": {"containers": [{"image": "nginx","name": "nginx"}],"volumes": [{"hostPath": {"path": "/var/run/docker.sock"}}]}}`),
 			status:   engineapi.RuleStatusFail,
 		},
+		{
+			name:     "test-43",
+			pattern:  []byte(`{"spec": {"=(volumes)": [{"(name)": "!cache-volume","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
+			resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
+			status:   engineapi.RuleStatusSkip,
+		},
+		{
+			name:     "test-44",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 1000}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-45",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"initContainers": [{"name": "nginx", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
+			status:   engineapi.RuleStatusFail,
+		},
+		{
+			name:     "test-46",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-47",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 1000}}], "containers": [{"securityContext": {"runAsUser": 0}}]}}`),
+			status:   engineapi.RuleStatusFail,
+		},
+		{
+			name:     "test-48",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 1000}}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-49",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"containers": [{"securityContext": {"runAsUser": 0}}]}}`),
+			status:   engineapi.RuleStatusFail,
+		},
+		{
+			name:     "test-50",
+			pattern:  []byte(`{"spec": {"=(initContainers)": [{"(name)": "!istio-init", "=(securityContext)": {"=(runAsUser)": ">0"}}], "=(containers)": [{"=(securityContext)": {"=(runAsUser)": ">0"}}]}}`),
+			resource: []byte(`{"spec": {"initContainers": [{"name": "istio-init", "securityContext": {"runAsUser": 0}}], "containers": [{"name": "nginx", "image": "nginx"}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-51",
+			pattern:  []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
+			resource: []byte(`{"spec": {"volumes": [{"name": "credential-socket","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
+			status:   engineapi.RuleStatusSkip,
+		},
+		{
+			name:     "test-52",
+			pattern:  []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
+			resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {"sizeLimit": "1Gi"}}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-53",
+			pattern:  []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
+			resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume"}]}}`),
+			status:   engineapi.RuleStatusPass,
+		},
+		{
+			name:     "test-54",
+			pattern:  []byte(`{"spec": {"=(volumes)": [{"(name)": "!credential-socket&!istio-data&!istio-envoy&!workload-certs&!workload-socket","=(emptyDir)": {"sizeLimit": "?*"}}]}}`),
+			resource: []byte(`{"spec": {"volumes": [{"name": "cache-volume","emptyDir": {}}]}}`),
+			status:   engineapi.RuleStatusFail,
+		},
 	}

 	for _, testCase := range testCases {