feat: support vap variables in the CLI (#8182)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-08-30 21:03:00 +03:00 · 2023-08-30 21:03:00 +03:00 · fb166d4f0e
commit fb166d4f0e
parent a6bc35b740
5 changed files with 96 additions and 1 deletions
--- a/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
+++ b/cmd/cli/kubectl-kyverno/apply/apply_command_test.go
@ -265,6 +265,42 @@ func Test_Apply(t *testing.T) {
 				},
 			},
 		},
+		{
+			config: ApplyCommandConfig{
+				PolicyPaths:   []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml"},
+				ResourcePaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/deployment1.yaml"},
+				PolicyReport:  true,
+			},
+			expectedPolicyReports: []preport.PolicyReport{
+				{
+					Summary: preport.PolicyReportSummary{
+						Pass:  1,
+						Fail:  0,
+						Skip:  0,
+						Error: 0,
+						Warn:  0,
+					},
+				},
+			},
+		},
+		{
+			config: ApplyCommandConfig{
+				PolicyPaths:   []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml"},
+				ResourcePaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/deployment2.yaml"},
+				PolicyReport:  true,
+			},
+			expectedPolicyReports: []preport.PolicyReport{
+				{
+					Summary: preport.PolicyReportSummary{
+						Pass:  0,
+						Fail:  1,
+						Skip:  0,
+						Error: 0,
+						Warn:  0,
+					},
+				},
+			},
+		},
 		{
 			config: ApplyCommandConfig{
 				PolicyPaths:   []string{"https://github.com/kyverno/policies/best-practices/require-labels/", "../../../../test/best_practices/disallow_latest_tag.yaml"},
--- a/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go
+++ b/pkg/validatingadmissionpolicy/validatingadmissionpolicy.go
@ -69,6 +69,7 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
 	validations := policy.Spec.Validations
 	auditAnnotations := policy.Spec.AuditAnnotations
 	matchConditions := policy.Spec.MatchConditions
+	variables := policy.Spec.Variables

 	hasParam := policy.Spec.ParamKind != nil

@ -93,13 +94,14 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
 	optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}

 	// compile CEL expressions
-	compiler, err := celutils.NewCompiler(validations, auditAnnotations, matchConditions, nil)
+	compiler, err := celutils.NewCompiler(validations, auditAnnotations, matchConditions, variables)
 	if err != nil {
 		ruleResp = engineapi.RuleError(policy.GetName(), engineapi.Validation, "Error creating composited compiler", err)
 		policyResp.Add(engineapi.NewExecutionStats(startTime, time.Now()), *ruleResp)
 		engineResponse = engineResponse.WithPolicyResponse(policyResp)
 		return engineResponse
 	}
+	compiler.CompileVariables(optionalVars)
 	filter := compiler.CompileValidateExpressions(optionalVars)
 	messageExpressionfilter := compiler.CompileMessageExpressions(optionalVars)
 	auditAnnotationFilter := compiler.CompileAuditAnnotationsExpressions(optionalVars)
--- a/test/cli/test-validating-admission-policy/check-deployment-labels/deployment1.yaml
+++ b/test/cli/test-validating-admission-policy/check-deployment-labels/deployment1.yaml
@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    env: prod
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
--- a/test/cli/test-validating-admission-policy/check-deployment-labels/deployment2.yaml
+++ b/test/cli/test-validating-admission-policy/check-deployment-labels/deployment2.yaml
@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+    env: testing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:latest
--- a/test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml
+++ b/test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml
@ -0,0 +1,17 @@
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "chech-deployment-labels"
+spec:
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments"]
+  variables:
+    - name: environment
+      expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
+  validations:
+    - expression: "variables.environment == true"
+      message: "Deployment labels must be env=prod"