From ee46e9ed192a0038c5ac4b3af0ca51c6b88a5747 Mon Sep 17 00:00:00 2001
From: treydock <tdockendorf@osc.edu>
Date: Tue, 31 May 2022 16:39:06 -0400
Subject: [PATCH] Ensure preconditions are present with default values (#4046)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
---
 charts/kyverno-policies/Chart.yaml            |  2 ++
 .../disallow-capabilities-strict.yaml         | 22 +++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
index bf54afc11a..732cbeecdc 100644
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@@ -27,3 +27,5 @@ annotations:
       description: Support for artifacthub.io/changes annotation
     - kind: fixed
       description: Fix Kyverno version check when image tag contains registry port number
+    - kind: fixed
+      description: Ensure preconditions are present with default values
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index d62d0b0d13..0284190ea6 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -35,7 +35,9 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
+      {{- $preconditions1 :=  merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
+      {{- if $preconditions1 }}
+      {{- with $preconditions1 }}
       preconditions:
         {{- if .all }}
         all:
@@ -47,6 +49,13 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
       validate:
         message: >-
           Containers must drop `ALL` capabilities.
@@ -68,7 +77,9 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
+      {{- $preconditions2 := merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
+      {{- if $preconditions2 }}
+      {{- with $preconditions2 }}
       preconditions:
         {{- if .all }}
         all:
@@ -80,6 +91,13 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
       {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
       validate:
         message: >-
           Any capabilities added other than NET_BIND_SERVICE are disallowed.