mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-13 19:28:55 +00:00
feat: support vap variables in the CLI (#8182)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
a6bc35b740
commit
fb166d4f0e
5 changed files with 96 additions and 1 deletions
|
@ -265,6 +265,42 @@ func Test_Apply(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
config: ApplyCommandConfig{
|
||||
PolicyPaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml"},
|
||||
ResourcePaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/deployment1.yaml"},
|
||||
PolicyReport: true,
|
||||
},
|
||||
expectedPolicyReports: []preport.PolicyReport{
|
||||
{
|
||||
Summary: preport.PolicyReportSummary{
|
||||
Pass: 1,
|
||||
Fail: 0,
|
||||
Skip: 0,
|
||||
Error: 0,
|
||||
Warn: 0,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
config: ApplyCommandConfig{
|
||||
PolicyPaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/policy.yaml"},
|
||||
ResourcePaths: []string{"../../../../test/cli/test-validating-admission-policy/check-deployment-labels/deployment2.yaml"},
|
||||
PolicyReport: true,
|
||||
},
|
||||
expectedPolicyReports: []preport.PolicyReport{
|
||||
{
|
||||
Summary: preport.PolicyReportSummary{
|
||||
Pass: 0,
|
||||
Fail: 1,
|
||||
Skip: 0,
|
||||
Error: 0,
|
||||
Warn: 0,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
config: ApplyCommandConfig{
|
||||
PolicyPaths: []string{"https://github.com/kyverno/policies/best-practices/require-labels/", "../../../../test/best_practices/disallow_latest_tag.yaml"},
|
||||
|
|
|
@ -69,6 +69,7 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
|
|||
validations := policy.Spec.Validations
|
||||
auditAnnotations := policy.Spec.AuditAnnotations
|
||||
matchConditions := policy.Spec.MatchConditions
|
||||
variables := policy.Spec.Variables
|
||||
|
||||
hasParam := policy.Spec.ParamKind != nil
|
||||
|
||||
|
@ -93,13 +94,14 @@ func Validate(policy v1alpha1.ValidatingAdmissionPolicy, resource unstructured.U
|
|||
optionalVars := cel.OptionalVariableDeclarations{HasParams: hasParam, HasAuthorizer: false}
|
||||
|
||||
// compile CEL expressions
|
||||
compiler, err := celutils.NewCompiler(validations, auditAnnotations, matchConditions, nil)
|
||||
compiler, err := celutils.NewCompiler(validations, auditAnnotations, matchConditions, variables)
|
||||
if err != nil {
|
||||
ruleResp = engineapi.RuleError(policy.GetName(), engineapi.Validation, "Error creating composited compiler", err)
|
||||
policyResp.Add(engineapi.NewExecutionStats(startTime, time.Now()), *ruleResp)
|
||||
engineResponse = engineResponse.WithPolicyResponse(policyResp)
|
||||
return engineResponse
|
||||
}
|
||||
compiler.CompileVariables(optionalVars)
|
||||
filter := compiler.CompileValidateExpressions(optionalVars)
|
||||
messageExpressionfilter := compiler.CompileMessageExpressions(optionalVars)
|
||||
auditAnnotationFilter := compiler.CompileAuditAnnotationsExpressions(optionalVars)
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx-deployment
|
||||
labels:
|
||||
app: nginx
|
||||
env: prod
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
|
@ -0,0 +1,20 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: nginx-deployment
|
||||
labels:
|
||||
app: nginx
|
||||
env: testing
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: nginx
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: nginx
|
||||
spec:
|
||||
containers:
|
||||
- name: nginx
|
||||
image: nginx:latest
|
|
@ -0,0 +1,17 @@
|
|||
apiVersion: admissionregistration.k8s.io/v1alpha1
|
||||
kind: ValidatingAdmissionPolicy
|
||||
metadata:
|
||||
name: "chech-deployment-labels"
|
||||
spec:
|
||||
matchConstraints:
|
||||
resourceRules:
|
||||
- apiGroups: ["apps"]
|
||||
apiVersions: ["v1"]
|
||||
operations: ["CREATE", "UPDATE"]
|
||||
resources: ["deployments"]
|
||||
variables:
|
||||
- name: environment
|
||||
expression: "has(object.metadata.labels) && 'env' in object.metadata.labels && object.metadata.labels['env'] == 'prod'"
|
||||
validations:
|
||||
- expression: "variables.environment == true"
|
||||
message: "Deployment labels must be env=prod"
|
Loading…
Add table
Reference in a new issue