package policy import ( "encoding/json" "testing" kyverno "github.com/kyverno/kyverno/api/kyverno/v1" "gotest.tools/assert" ) func Test_valid_onUpdatePolicyPolicy(t *testing.T) { rawPolicy := []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "test-gen", "annotations": { "policies.kyverno.io/category": "Best Practices" } }, "spec": { "rules": [ { "match": { "resources": { "kinds": [ "Namespace" ] } }, "name": "test-gen", "preconditions": { "all": [ { "key": "{{request.object.metadata.name}}", "operator": "NotEquals", "value": "" } ] }, "validate": { "message": "The only label that may be removed or changed is breakglass.", "deny": { "conditions": { "any": [ { "key": "{{ request.object.metadata.labels | merge(@, {breakglass:null}) }}", "operator": "NotEquals", "value": "{{ request.oldObject.metadata.labels | merge(@, {breakglass:null}) }}" } ] } } } } ] } }`) var policy kyverno.ClusterPolicy err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) err = ValidateOnPolicyUpdate(&policy, true) assert.NilError(t, err) } func Test_invalid_onUpdatePolicyPolicy(t *testing.T) { rawPolicy := []byte(`{ "apiVersion": "kyverno.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "who-created-this" }, "spec": { "rules": [ { "name": "who-created-this", "match": { "any": [ { "resources": { "kinds": [ "Pod" ] } } ] }, "mutate": { "patchStrategicMerge": { "metadata": { "labels": { "created-by": "{{request.userInfo.username}}" } } } } } ] } }`) var policy kyverno.ClusterPolicy err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) err = ValidateOnPolicyUpdate(&policy, true) assert.ErrorContains(t, err, "only select variables are allowed in on policy update. Set spec.mutateExistingOnPolicyUpdate=false to disable update policy mode for this policy rule: variable {{request.userInfo.username}} is not allowed ") }