fix: skip generating VAPs for policies that match multiple resources with a namespace/object selector (#10181)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2024-12-14 11:57:48 +00:00 · 2024-05-06 21:52:22 +08:00 · 2024-05-06 21:52:22 +08:00 · f291407ca9
commit f291407ca9
parent 21602a1e1f
11 changed files with 160 additions and 10 deletions
--- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
+++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
@ -55,23 +55,20 @@ func CanGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
 			return false, msg
 		}

-		// since namespace/object selectors are applied to all NamedRuleWithOperations in ValidatingAdmissionPolicy, then
-		// multiple namespace/object selectors aren't applicable across the `any` clause.
 		if value.NamespaceSelector != nil {
-			if containsNamespaceSelector {
-				msg = "skip generating ValidatingAdmissionPolicy: multiple NamespaceSelector across 'any' aren't applicable."
-				return false, msg
-			}
 			containsNamespaceSelector = true
 		}
 		if value.Selector != nil {
-			if containsObjectSelector {
-				msg = "skip generating ValidatingAdmissionPolicy: multiple ObjectSelector across 'any' aren't applicable."
-				return false, msg
-			}
 			containsObjectSelector = true
 		}
 	}
+	// since namespace/object selectors are applied to all NamedRuleWithOperations in ValidatingAdmissionPolicy, then
+	// we can't have more than one resource with namespace/object selectors.
+	if len(match.Any) > 1 && (containsNamespaceSelector || containsObjectSelector) {
+		msg = "skip generating ValidatingAdmissionPolicy: NamespaceSelector / ObjectSelector across multiple resources aren't applicable."
+		return false, msg
+	}
+
 	// since 'all' specify resources which will be ANDed, we can't have more than one resource.
 	if match.All != nil {
 		if len(match.All) > 1 {
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/chainsaw-test.yaml
@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-any-match-multiple-resources-with-namespace-selector
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - error:
+        file: validatingadmissionpolicy.yaml
+    - error:
+        file: validatingadmissionpolicybinding.yaml
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy-assert.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy-assert.yaml
@ -0,0 +1,12 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path-t12
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  validatingadmissionpolicy:
+    generated: false
+  
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/policy.yaml
@ -0,0 +1,33 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path-t12
+spec:
+  validationFailureAction: Audit
+  rules:
+    - name: host-path
+      match:
+        any:
+        - resources:
+            kinds:
+              - Deployment
+            operations:
+            - CREATE
+            - UPDATE
+            namespaceSelector:
+              matchExpressions:
+                - key: type 
+                  operator: In
+                  values: 
+                  - connector
+        - resources:
+            kinds:
+              - StatefulSet
+            operations:
+            - CREATE
+            - UPDATE
+      validate:
+        cel:
+          expressions:
+            - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
+              message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicy.yaml
@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-t12
+spec: {}
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-namespace-selector/validatingadmissionpolicybinding.yaml
@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-t12-binding
+spec: {}
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/chainsaw-test.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/chainsaw-test.yaml
@ -0,0 +1,19 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: cpol-any-match-multiple-resources-with-object-selector
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: policy.yaml
+    - assert:
+        file: policy-assert.yaml
+  - name: step-02
+    try:
+    - error:
+        file: validatingadmissionpolicy.yaml
+    - error:
+        file: validatingadmissionpolicybinding.yaml
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy-assert.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy-assert.yaml
@ -0,0 +1,12 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path-t13
+status:
+  conditions:
+  - reason: Succeeded
+    status: "True"
+    type: Ready
+  validatingadmissionpolicy:
+    generated: false
+  
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/policy.yaml
@ -0,0 +1,30 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path-t13
+spec:
+  validationFailureAction: Audit
+  rules:
+    - name: host-path
+      match:
+        any:
+        - resources:
+            kinds:
+              - Deployment
+            operations:
+            - CREATE
+            - UPDATE
+            selector:
+              matchLabels:
+                app: critical
+        - resources:
+            kinds:
+              - StatefulSet
+            operations:
+            - CREATE
+            - UPDATE
+      validate:
+        cel:
+          expressions:
+            - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
+              message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicy.yaml
@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-t13
+spec: {}
--- a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
+++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-multiple-resources-with-object-selector/validatingadmissionpolicybinding.yaml
@ -0,0 +1,7 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-t13-binding
+spec: {}