mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

turn preconditions error to info log (#1926)

Browse source 
* turn preconditions error to info log

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* minor change

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* further changes

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* resolve conflicts

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* add precondition flag

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>

* NotFoundError -> Info

Signed-off-by: vineethvanga18 <reddy.8@iitj.ac.in>
This commit is contained in:
Vineeth Reddy 2021-07-07 17:37:44 +05:30 committed by GitHub
parent e74a5c803c
commit eeb4e4ff0f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 151 additions and 103 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pkg/engine/generation.go
View file

@ -108,7 +108,7 @@ func filterRule(rule kyverno.Rule, policyContext *PolicyContext) *response.RuleR
}
// evaluate pre-conditions
if !variables.EvaluateConditions(logger, ctx, copyConditions) {
if !variables.EvaluateConditions(logger, ctx, copyConditions, true) {
logger.V(4).Info("preconditions not satisfied, skipping rule", "rule", rule.Name)
return nil
}

2
pkg/engine/mutation.go
View file

@ -85,7 +85,7 @@ func Mutate(policyContext *PolicyContext) (resp *response.EngineResponse) {
}
// evaluate pre-conditions
// - handle variable substitutions
if !variables.EvaluateConditions(logger, ctx, copyConditions) {
if !variables.EvaluateConditions(logger, ctx, copyConditions, true) {
logger.V(3).Info("resource fails the preconditions")
continue
}

12
pkg/engine/validation.go
View file

@ -7,6 +7,7 @@ import (
"time"
"github.com/go-logr/logr"
gojmespath "github.com/jmespath/go-jmespath"
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
"github.com/kyverno/kyverno/pkg/engine/common"
"github.com/kyverno/kyverno/pkg/engine/context"
@ -113,7 +114,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
continue
}
// evaluate pre-conditions
if !variables.EvaluateConditions(log, ctx.JSONContext, preconditionsCopy) {
if !variables.EvaluateConditions(log, ctx.JSONContext, preconditionsCopy, true) {
log.V(4).Info("resource fails the preconditions")
continue
}
@ -129,7 +130,12 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
incrementAppliedCount(resp)
resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResp)
log.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
switch err.(type) {
case gojmespath.NotFoundError:
log.V(2).Info("failed to substitute variables, skip current rule", "info", err.Error(), "rule name", rule.Name)
default:
log.Error(err, "failed to substitute variables, skip current rule", "rule name", rule.Name)
}
continue
}
@ -147,7 +153,7 @@ func validateResource(log logr.Logger, ctx *PolicyContext) *response.EngineRespo
log.V(2).Info("wrongfully configured data", "reason", err.Error())
continue
}
deny := variables.EvaluateConditions(log, ctx.JSONContext, denyConditionsCopy)
deny := variables.EvaluateConditions(log, ctx.JSONContext, denyConditionsCopy, false)
ruleResp := response.RuleResponse{
Name: rule.Name,
Type: utils.Validation.String(),

20
pkg/engine/variables/evaluate.go
View file

@ -8,28 +8,28 @@ import (
)
//Evaluate evaluates the condition
func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition) bool {
func Evaluate(log logr.Logger, ctx context.EvalInterface, condition kyverno.Condition, isPreCondition bool) bool {
// get handler for the operator
handle := operator.CreateOperatorHandler(log, ctx, condition.Operator, SubstituteAll)
if handle == nil {
return false
}
return handle.Evaluate(condition.Key, condition.Value)
return handle.Evaluate(condition.Key, condition.Value, isPreCondition)
}
//EvaluateConditions evalues all the conditions present in a slice, in a backwards compatible way
func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions interface{}) bool {
func EvaluateConditions(log logr.Logger, ctx context.EvalInterface, conditions interface{}, isPreCondition bool) bool {
switch typedConditions := conditions.(type) {
case kyverno.AnyAllConditions:
return evaluateAnyAllConditions(log, ctx, typedConditions)
return evaluateAnyAllConditions(log, ctx, typedConditions, isPreCondition)
case []kyverno.Condition: // backwards compatibility
return evaluateOldConditions(log, ctx, typedConditions)
return evaluateOldConditions(log, ctx, typedConditions, isPreCondition)
}
return false
}
//evaluateAnyAllConditions evaluates multiple conditions as a logical AND (all) or OR (any) operation depending on the conditions
func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, conditions kyverno.AnyAllConditions) bool {
func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, conditions kyverno.AnyAllConditions, isPreCondition bool) bool {
anyConditions, allConditions := conditions.AnyConditions, conditions.AllConditions
anyConditionsResult, allConditionsResult := true, true
@ -37,7 +37,7 @@ func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, condit
if anyConditions != nil {
anyConditionsResult = false
for _, condition := range anyConditions {
if Evaluate(log, ctx, condition) {
if Evaluate(log, ctx, condition, isPreCondition) {
anyConditionsResult = true
break
}
@ -47,7 +47,7 @@ func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, condit
// update the allConditionsResult if they are present
if allConditions != nil {
for _, condition := range allConditions {
if !Evaluate(log, ctx, condition) {
if !Evaluate(log, ctx, condition, isPreCondition) {
allConditionsResult = false
break
}
@ -59,9 +59,9 @@ func evaluateAnyAllConditions(log logr.Logger, ctx context.EvalInterface, condit
}
//evaluateOldConditions evaluates multiple conditions when those conditions are provided in the old manner i.e. without 'any' or 'all'
func evaluateOldConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition) bool {
func evaluateOldConditions(log logr.Logger, ctx context.EvalInterface, conditions []kyverno.Condition, isPreCondition bool) bool {
for _, condition := range conditions {
if !Evaluate(log, ctx, condition) {
if !Evaluate(log, ctx, condition, isPreCondition) {
return false
}
}

140
pkg/engine/variables/evaluate_test.go
View file

@ -19,7 +19,7 @@ func Test_Eval_Equal_Const_String_Pass(t *testing.T) {
Value: "name",
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -33,7 +33,7 @@ func Test_Eval_Equal_Const_String_Fail(t *testing.T) {
Value: "name1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -47,7 +47,7 @@ func Test_Eval_NoEqual_Const_String_Pass(t *testing.T) {
Value: "name1",
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -61,7 +61,7 @@ func Test_Eval_NoEqual_Const_String_Fail(t *testing.T) {
Value: "name",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -73,7 +73,7 @@ func Test_Eval_GreaterThanOrEquals_Const_string_Equal_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -85,7 +85,7 @@ func Test_Eval_GreaterThanOrEquals_Const_string_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -97,7 +97,7 @@ func Test_Eval_GreaterThanOrEquals_Const_string_Fail(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: "2",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -109,7 +109,7 @@ func Test_Eval_GreaterThan_Const_string_Equal_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -121,7 +121,7 @@ func Test_Eval_GreaterThan_Const_string_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: 0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -133,7 +133,7 @@ func Test_Eval_GreaterThan_Const_string_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: "2",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -145,7 +145,7 @@ func Test_Eval_LessThanOrEquals_Const_string_Equal_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -157,7 +157,7 @@ func Test_Eval_LessThanOrEquals_Const_string_Less_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -169,7 +169,7 @@ func Test_Eval_LessThanOrEquals_Const_string_Fail(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: "1.1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -181,7 +181,7 @@ func Test_Eval_LessThan_Const_string_Equal_Pass(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -193,7 +193,7 @@ func Test_Eval_LessThan_Const_string_Less_Pass(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -205,7 +205,7 @@ func Test_Eval_LessThan_Const_string_Fail(t *testing.T) {
Operator: kyverno.LessThan,
Value: "1.1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -221,7 +221,7 @@ func Test_Eval_Equal_Const_Bool_Pass(t *testing.T) {
Value: true,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -235,7 +235,7 @@ func Test_Eval_Equal_Const_Bool_Fail(t *testing.T) {
Value: false,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -249,7 +249,7 @@ func Test_Eval_NoEqual_Const_Bool_Pass(t *testing.T) {
Value: false,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -263,7 +263,7 @@ func Test_Eval_NoEqual_Const_Bool_Fail(t *testing.T) {
Value: true,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -278,7 +278,7 @@ func Test_Eval_Equal_Const_int_Pass(t *testing.T) {
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -292,7 +292,7 @@ func Test_Eval_Equal_Const_int_Fail(t *testing.T) {
Value: 2,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -306,7 +306,7 @@ func Test_Eval_NoEqual_Const_int_Pass(t *testing.T) {
Value: 2,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -320,7 +320,7 @@ func Test_Eval_NoEqual_Const_int_Fail(t *testing.T) {
Value: 1,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -332,7 +332,7 @@ func Test_Eval_GreaterThanOrEquals_Const_int_Equal_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -344,7 +344,7 @@ func Test_Eval_GreaterThanOrEquals_Const_int_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -356,7 +356,7 @@ func Test_Eval_GreaterThanOrEquals_Const_int_Fail(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: "2",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -368,7 +368,7 @@ func Test_Eval_GreaterThan_Const_int_Equal_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -380,7 +380,7 @@ func Test_Eval_GreaterThan_Const_int_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: 0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -392,7 +392,7 @@ func Test_Eval_GreaterThan_Const_int_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: "2",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -404,7 +404,7 @@ func Test_Eval_LessThanOrEquals_Const_int_Equal_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -416,7 +416,7 @@ func Test_Eval_LessThanOrEquals_Const_int_Less_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -428,7 +428,7 @@ func Test_Eval_LessThanOrEquals_Const_int_Fail(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: "1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -440,7 +440,7 @@ func Test_Eval_LessThan_Const_int_Equal_Fail(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -452,7 +452,7 @@ func Test_Eval_LessThan_Const_int_Less_Pass(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -464,7 +464,7 @@ func Test_Eval_LessThan_Const_int_Fail(t *testing.T) {
Operator: kyverno.LessThan,
Value: "1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -479,7 +479,7 @@ func Test_Eval_Equal_Const_int64_Pass(t *testing.T) {
Value: int64(1),
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -493,7 +493,7 @@ func Test_Eval_Equal_Const_int64_Fail(t *testing.T) {
Value: int64(2),
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -507,7 +507,7 @@ func Test_Eval_NoEqual_Const_int64_Pass(t *testing.T) {
Value: int64(2),
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -521,7 +521,7 @@ func Test_Eval_NoEqual_Const_int64_Fail(t *testing.T) {
Value: int64(1),
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -537,7 +537,7 @@ func Test_Eval_Equal_Const_float64_Pass(t *testing.T) {
Value: 1.5,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -551,7 +551,7 @@ func Test_Eval_Equal_Const_float64_Fail(t *testing.T) {
Value: 1.6,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -565,7 +565,7 @@ func Test_Eval_NoEqual_Const_float64_Pass(t *testing.T) {
Value: 1.6,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -579,7 +579,7 @@ func Test_Eval_NoEqual_Const_float64_Fail(t *testing.T) {
Value: 1.5,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -591,7 +591,7 @@ func Test_Eval_GreaterThanOrEquals_Const_float64_Equal_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -603,7 +603,7 @@ func Test_Eval_GreaterThanOrEquals_Const_float64_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: 0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -615,7 +615,7 @@ func Test_Eval_GreaterThanOrEquals_Const_float64_Fail(t *testing.T) {
Operator: kyverno.GreaterThanOrEquals,
Value: "2",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -627,7 +627,7 @@ func Test_Eval_GreaterThan_Const_float64_Equal_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -639,7 +639,7 @@ func Test_Eval_GreaterThan_Const_float64_Greater_Pass(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: "0",
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -651,7 +651,7 @@ func Test_Eval_GreaterThan_Const_float64_Fail(t *testing.T) {
Operator: kyverno.GreaterThan,
Value: "2.5",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -663,7 +663,7 @@ func Test_Eval_LessThanOrEquals_Const_float64_Equal_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1.0,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -675,7 +675,7 @@ func Test_Eval_LessThanOrEquals_Const_float64_Less_Pass(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: 1,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -687,7 +687,7 @@ func Test_Eval_LessThanOrEquals_Const_float64_Fail(t *testing.T) {
Operator: kyverno.LessThanOrEquals,
Value: "1.95",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -699,7 +699,7 @@ func Test_Eval_LessThan_Const_float64_Equal_Fail(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1.0,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -711,7 +711,7 @@ func Test_Eval_LessThan_Const_float64_Less_Pass(t *testing.T) {
Operator: kyverno.LessThan,
Value: "1.5",
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -723,7 +723,7 @@ func Test_Eval_LessThan_Const_float64_Fail(t *testing.T) {
Operator: kyverno.LessThan,
Value: 1.95,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -753,7 +753,7 @@ func Test_Eval_Equal_Const_object_Pass(t *testing.T) {
Value: obj2,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -781,7 +781,7 @@ func Test_Eval_Equal_Const_object_Fail(t *testing.T) {
Value: obj2,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -809,7 +809,7 @@ func Test_Eval_NotEqual_Const_object_Pass(t *testing.T) {
Value: obj2,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -837,7 +837,7 @@ func Test_Eval_NotEqual_Const_object_Fail(t *testing.T) {
Value: obj2,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -867,7 +867,7 @@ func Test_Eval_Equal_Const_list_Pass(t *testing.T) {
Value: obj2,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -893,7 +893,7 @@ func Test_Eval_Equal_Const_list_Fail(t *testing.T) {
Value: obj2,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -919,7 +919,7 @@ func Test_Eval_NotEqual_Const_list_Pass(t *testing.T) {
Value: obj2,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -945,7 +945,7 @@ func Test_Eval_NotEqual_Const_list_Fail(t *testing.T) {
Value: obj2,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -978,7 +978,7 @@ func Test_Eval_Equal_Var_Pass(t *testing.T) {
Value: "temp",
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -1009,7 +1009,7 @@ func Test_Eval_Equal_Var_Fail(t *testing.T) {
Value: "temp1",
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -1036,7 +1036,7 @@ func Test_Eval_In_String_Set_Pass(t *testing.T) {
Value: valueInterface,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -1061,7 +1061,7 @@ func Test_Eval_In_String_Set_Fail(t *testing.T) {
Value: valueInterface,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}
@ -1086,7 +1086,7 @@ func Test_Eval_NotIn_String_Set_Pass(t *testing.T) {
Value: valueInterface,
}
if !Evaluate(log.Log, ctx, condition) {
if !Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to pass")
}
}
@ -1111,7 +1111,7 @@ func Test_Eval_NotIn_String_Set_Fail(t *testing.T) {
Value: valueInterface,
}
if Evaluate(log.Log, ctx, condition) {
if Evaluate(log.Log, ctx, condition, true) {
t.Error("expected to fail")
}
}

17
pkg/engine/variables/operator/equal.go
View file

@ -2,11 +2,12 @@ package operator
import (
"fmt"
"github.com/minio/pkg/wildcard"
"math"
"reflect"
"strconv"
"github.com/minio/pkg/wildcard"
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/engine/context"
)
@ -28,18 +29,26 @@ type EqualHandler struct {
}
//Evaluate evaluates expression with Equal Operator
func (eh EqualHandler) Evaluate(key, value interface{}) bool {
func (eh EqualHandler) Evaluate(key, value interface{}, isPreCondition bool) bool {
var err error
//TODO: decouple variables from evaluation
// substitute the variables
if key, err = eh.subHandler(eh.log, eh.ctx, key); err != nil {
// Failed to resolve the variable
eh.log.Error(err, "Failed to resolve variable", "variable", key)
if isPreCondition {
eh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", key)
} else {
eh.log.Error(err, "Failed to resolve variable", "variable", key)
}
return false
}
if value, err = eh.subHandler(eh.log, eh.ctx, value); err != nil {
// Failed to resolve the variable
eh.log.Error(err, "Failed to resolve variable", "variable", value)
if isPreCondition {
eh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", value)
} else {
eh.log.Error(err, "Failed to resolve variable", "variable", value)
}
return false
}

14
pkg/engine/variables/operator/in.go
View file

@ -27,16 +27,24 @@ type InHandler struct {
}
//Evaluate evaluates expression with In Operator
func (in InHandler) Evaluate(key, value interface{}) bool {
func (in InHandler) Evaluate(key, value interface{}, isPreCondition bool) bool {
var err error
// substitute the variables
if key, err = in.subHandler(in.log, in.ctx, key); err != nil {
in.log.Error(err, "Failed to resolve variable", "variable", key)
if isPreCondition {
in.log.Info("Failed to resolve variable", "info", err.Error(), "variable", key)
} else {
in.log.Error(err, "Failed to resolve variable", "variable", key)
}
return false
}
if value, err = in.subHandler(in.log, in.ctx, value); err != nil {
in.log.Error(err, "Failed to resolve variable", "variable", value)
if isPreCondition {
in.log.Info("Failed to resolve variable", "info", err.Error(), "variable", value)
} else {
in.log.Error(err, "Failed to resolve variable", "variable", value)
}
return false
}

17
pkg/engine/variables/operator/notequal.go
View file

@ -2,11 +2,12 @@ package operator
import (
"fmt"
"github.com/minio/pkg/wildcard"
"math"
"reflect"
"strconv"
"github.com/minio/pkg/wildcard"
"github.com/go-logr/logr"
"github.com/kyverno/kyverno/pkg/engine/context"
)
@ -28,18 +29,26 @@ type NotEqualHandler struct {
}
//Evaluate evaluates expression with NotEqual Operator
func (neh NotEqualHandler) Evaluate(key, value interface{}) bool {
func (neh NotEqualHandler) Evaluate(key, value interface{}, isPreCondition bool) bool {
var err error
//TODO: decouple variables from evaluation
// substitute the variables
if key, err = neh.subHandler(neh.log, neh.ctx, key); err != nil {
// Failed to resolve the variable
neh.log.Error(err, "Failed to resolve variable", "variable", key)
if isPreCondition {
neh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", key)
} else {
neh.log.Error(err, "Failed to resolve variable", "variable", key)
}
return false
}
if value, err = neh.subHandler(neh.log, neh.ctx, value); err != nil {
// Failed to resolve the variable
neh.log.Error(err, "Failed to resolve variable", "variable", value)
if isPreCondition {
neh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", value)
} else {
neh.log.Error(err, "Failed to resolve variable", "variable", value)
}
return false
}
// key and value need to be of same type

14
pkg/engine/variables/operator/notin.go
View file

@ -24,17 +24,25 @@ type NotInHandler struct {
}
//Evaluate evaluates expression with NotIn Operator
func (nin NotInHandler) Evaluate(key, value interface{}) bool {
func (nin NotInHandler) Evaluate(key, value interface{}, isPreCondition bool) bool {
var err error
// substitute the variables
if key, err = nin.subHandler(nin.log, nin.ctx, key); err != nil {
nin.log.Error(err, "Failed to resolve variable", "variable", key)
if isPreCondition {
nin.log.Info("Failed to resolve variable", "info", err.Error(), "variable", key)
} else {
nin.log.Error(err, "Failed to resolve variable", "variable", key)
}
return false
}
if value, err = nin.subHandler(nin.log, nin.ctx, value); err != nil {
nin.log.Error(err, "Failed to resolve variable", "variable", value)
if isPreCondition {
nin.log.Info("Failed to resolve variable", "info", err.Error(), "variable", value)
} else {
nin.log.Error(err, "Failed to resolve variable", "variable", value)
}
return false
}

14
pkg/engine/variables/operator/numeric.go
View file

@ -44,16 +44,24 @@ func compareByCondition(key float64, value float64, op kyverno.ConditionOperator
}
}
func (noh NumericOperatorHandler) Evaluate(key, value interface{}) bool {
func (noh NumericOperatorHandler) Evaluate(key, value interface{}, isPreCondition bool) bool {
var err error
if key, err = noh.subHandler(noh.log, noh.ctx, key); err != nil {
// Failed to resolve the variable
noh.log.Error(err, "Failed to resolve variable", "variable", key)
if isPreCondition {
noh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", key)
} else {
noh.log.Error(err, "Failed to resolve variable", "variable", key)
}
return false
}
if value, err = noh.subHandler(noh.log, noh.ctx, value); err != nil {
// Failed to resolve the variable
noh.log.Error(err, "Failed to resolve variable", "variable", value)
if isPreCondition {
noh.log.Info("Failed to resolve variable", "info", err.Error(), "variable", value)
} else {
noh.log.Error(err, "Failed to resolve variable", "variable", value)
}
return false
}

2
pkg/engine/variables/operator/operator.go
View file

@ -10,7 +10,7 @@ import (
//OperatorHandler provides interface to manage types
type OperatorHandler interface {
Evaluate(key, value interface{}) bool
Evaluate(key, value interface{}, isPreCondition bool) bool
validateValueWithStringPattern(key string, value interface{}) bool
validateValueWithBoolPattern(key bool, value interface{}) bool
validateValueWithIntPattern(key int64, value interface{}) bool