mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

fix: remove the check of exclude in VAPs (#9331)

Browse source 
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
Mariam Fahmy 2024-01-03 19:37:30 +02:00 committed by GitHub
parent 25a6cd97e0
commit f8c5571ddc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 67 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
pkg/controllers/validatingadmissionpolicy-generate/policycheck.go
View file

@ -104,45 +104,5 @@ func canGenerateVAP(spec *kyvernov1.Spec) (bool, string) {
}
}
// since 'any' specify resources which will be ORed, it can be converted into multiple NamedRuleWithOperations in ValidatingAdmissionPolicy
for _, value := range exclude.Any {
if ok, msg := checkUserInfo(value.UserInfo); !ok {
return false, msg
}
if ok, msg := checkResources(value.ResourceDescription); !ok {
return false, msg
}
// since namespace/object selectors are applied to all NamedRuleWithOperations in ValidatingAdmissionPolicy, then
// multiple namespace/object selectors aren't applicable across the `any` clause.
if value.NamespaceSelector != nil {
if containsNamespaceSelector {
msg = "skip generating ValidatingAdmissionPolicy: multiple NamespaceSelector across 'any' aren't applicable."
return false, msg
}
containsNamespaceSelector = true
}
if value.Selector != nil {
if containsObjectSelector {
msg = "skip generating ValidatingAdmissionPolicy: multiple ObjectSelector across 'any' aren't applicable."
return false, msg
}
containsObjectSelector = true
}
}
// since 'all' specify resources which will be ANDed, we can't have more than one resource.
if exclude.All != nil {
if len(exclude.All) > 1 {
msg = "skip generating ValidatingAdmissionPolicy: multiple 'all' isn't applicable."
return false, msg
} else {
if ok, msg := checkUserInfo(exclude.All[0].UserInfo); !ok {
return false, msg
}
if ok, msg := checkResources(exclude.All[0].ResourceDescription); !ok {
return false, msg
}
}
}
return true, msg
}

19
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/chainsaw-test.yaml Executable file
View file

@ -0,0 +1,19 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: cpol-exclude-namespace
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- error:
file: validatingadmissionpolicy.yaml
- error:
file: validatingadmissionpolicybinding.yaml

12
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy-assert.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app2
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
validatingadmissionpolicy:
generated: false

22
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/policy.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app2
spec:
validationFailureAction: Audit
rules:
- name: check-label-app
match:
any:
- resources:
kinds:
- Pod
exclude:
any:
- resources:
namespaces:
- default
validate:
cel:
expressions:
- expression: "'app' in object.metadata.labels"

7
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicy.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app2
spec: {}

7
test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-exclude-namespace/validatingadmissionpolicybinding.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app2-binding
spec: {}