validate polex activation and namespace (#6046) (#6080)

* validate polex activation and namespace Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push updates Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options to handler Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * replace pointer Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove exceptionoption argument Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove nested if Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * revert change Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix line Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * pass polex options differently Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * push update Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * move struct Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * Update pkg/validation/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * Update pkg/webhooks/exception/validate.go Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> * fix Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * add unit test Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * remove lines Signed-off-by: damilola olayinka <holayinkajr@gmail.com> * fix error Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Signed-off-by: damilola olayinka <holayinkajr@gmail.com> Signed-off-by: yinka <damilola.olayinka@nirmata.com> Co-authored-by: yinka <holayinkajr@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2024-12-14 11:57:48 +00:00 · 2023-01-23 10:32:47 +00:00 · 2023-01-23 10:32:47 +00:00 · f7a4fafc3d
commit f7a4fafc3d
parent 85eeb40f03
4 changed files with 111 additions and 11 deletions
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -48,6 +48,7 @@ import (
 	"github.com/kyverno/kyverno/pkg/toggle"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	runtimeutils "github.com/kyverno/kyverno/pkg/utils/runtime"
+	"github.com/kyverno/kyverno/pkg/validation/exception"
 	"github.com/kyverno/kyverno/pkg/webhooks"
 	webhooksexception "github.com/kyverno/kyverno/pkg/webhooks/exception"
 	webhookspolicy "github.com/kyverno/kyverno/pkg/webhooks/policy"
@ -691,7 +692,10 @@ func main() {
 		openApiManager,
 		admissionReports,
 	)
-	exceptionHandlers := webhooksexception.NewHandlers()
+	exceptionHandlers := webhooksexception.NewHandlers(exception.ValidationOptions{
+		Enabled:   enablePolicyException,
+		Namespace: exceptionNamespace,
+	})
 	server := webhooks.NewServer(
 		policyHandlers,
 		resourceHandlers,
--- a/pkg/validation/exception/validate.go
+++ b/pkg/validation/exception/validate.go
@ -7,8 +7,24 @@ import (
 	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
 )

-// Validate checks policy exception is valid
-func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2alpha1.PolicyException) error {
-	errs := polex.Validate()
-	return errs.ToAggregate()
+const (
+	namespacesDontMatch = "PolicyException resource namespace must match the defined namespace."
+	disabledPolex       = "PolicyException resources would not be processed until it is enabled."
+)
+
+type ValidationOptions struct {
+	Enabled   bool
+	Namespace string
+}
+
+// Validate checks policy exception is valid
+func Validate(ctx context.Context, logger logr.Logger, polex *kyvernov2alpha1.PolicyException, opts ValidationOptions) ([]string, error) {
+	var warnings []string
+	if !opts.Enabled {
+		warnings = append(warnings, disabledPolex)
+	} else if opts.Namespace != "" && opts.Namespace != polex.Namespace {
+		warnings = append(warnings, namespacesDontMatch)
+	}
+	errs := polex.Validate()
+	return warnings, errs.ToAggregate()
 }
--- a/pkg/validation/exception/validate_test.go
+++ b/pkg/validation/exception/validate_test.go
@ -0,0 +1,76 @@
+package exception
+
+import (
+	"context"
+	"testing"
+
+	"github.com/kyverno/kyverno/pkg/logging"
+	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+	"gotest.tools/assert"
+)
+
+func Test_Validate(t *testing.T) {
+	type args struct {
+		opts     ValidationOptions
+		resource []byte
+	}
+	tc := []struct {
+		name string
+		args args
+		want int
+	}{
+		{
+			name: "PolicyExceptions disabled.",
+			args: args{
+				opts: ValidationOptions{
+					Enabled:   false,
+					Namespace: "kyverno",
+				},
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
+			},
+			want: 1,
+		},
+		{
+			name: "PolicyExceptions enabled. Defined namespace doesn't match namespace passed.",
+			args: args{
+				opts: ValidationOptions{
+					Enabled:   true,
+					Namespace: "kyverno",
+				},
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"delta"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
+			},
+			want: 1,
+		},
+		{
+			name: "PolicyExceptions enabled. Defined namespace matches namespace passed",
+			args: args{
+				opts: ValidationOptions{
+					Enabled:   true,
+					Namespace: "kyverno",
+				},
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
+			},
+			want: 0,
+		},
+		{
+			name: "PolicyExceptions enabled. No namespace defined",
+			args: args{
+				opts: ValidationOptions{
+					Enabled:   true,
+					Namespace: "",
+				},
+				resource: []byte(`{"apiVersion":"kyverno.io/v2alpha1","kind":"PolicyException","metadata":{"name":"enforce-label-exception","namespace":"kyverno"},"spec":{"exceptions":[{"policyName":"enforce-label","ruleNames":["enforce-label"]}],"match":{"any":[{"resources":{"kinds":["Pod"]}}]}}}`),
+			},
+			want: 0,
+		},
+	}
+	for _, c := range tc {
+		t.Run(c.name, func(t *testing.T) {
+			polex, err := admissionutils.UnmarshalPolicyException(c.args.resource)
+			assert.NilError(t, err)
+			warnings, err := Validate(context.Background(), logging.GlobalLogger(), polex, c.args.opts)
+			assert.NilError(t, err)
+			assert.Assert(t, len(warnings) == c.want)
+		})
+	}
+}
--- a/pkg/webhooks/exception/validate.go
+++ b/pkg/webhooks/exception/validate.go
@ -11,10 +11,14 @@ import (
 	admissionv1 "k8s.io/api/admission/v1"
 )

-type handlers struct{}
+type handlers struct {
+	validationOptions validation.ValidationOptions
+}

-func NewHandlers() webhooks.ExceptionHandlers {
-	return &handlers{}
+func NewHandlers(validationOptions validation.ValidationOptions) webhooks.ExceptionHandlers {
+	return &handlers{
+		validationOptions: validationOptions,
+	}
 }

 // Validate performs the validation check on policy exception resources
@ -24,9 +28,9 @@ func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *ad
 		logger.Error(err, "failed to unmarshal policy exceptions from admission request")
 		return admissionutils.Response(request.UID, err)
 	}
-	if err := validation.Validate(ctx, logger, polex); err != nil {
+	warnings, err := validation.Validate(ctx, logger, polex, h.validationOptions)
+	if err != nil {
 		logger.Error(err, "policy exception validation errors")
-		return admissionutils.Response(request.UID, err)
 	}
-	return nil
+	return admissionutils.Response(request.UID, err, warnings...)
 }