Ensure preconditions are present with default values (#4046)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
2025-03-28 18:38:40 +00:00 · 2022-05-31 16:39:06 -04:00 · 2022-05-31 16:39:06 -04:00 · ee46e9ed19
commit ee46e9ed19
parent 566eae7d94
2 changed files with 22 additions and 2 deletions
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@ -27,3 +27,5 @@ annotations:
      description: Support for artifacthub.io/changes annotation
    - kind: fixed
      description: Fix Kyverno version check when image tag contains registry port number
+    - kind: fixed
+      description: Ensure preconditions are present with default values
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@ -35,7 +35,9 @@ spec:
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
+      {{- $preconditions1 :=  merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
+      {{- if $preconditions1 }}
+      {{- with $preconditions1 }}
      preconditions:
        {{- if .all }}
        all:
@ -47,6 +49,13 @@ spec:
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
      validate:
        message: >-
          Containers must drop `ALL` capabilities.
@ -68,7 +77,9 @@ spec:
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      {{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
+      {{- $preconditions2 := merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
+      {{- if $preconditions2 }}
+      {{- with $preconditions2 }}
      preconditions:
        {{- if .all }}
        all:
@ -80,6 +91,13 @@ spec:
          {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
      validate:
        message: >-
          Any capabilities added other than NET_BIND_SERVICE are disallowed.