Skip to content

Commit

Permalink
fix: skip generating VAPs in case namespace's name contains wildcards (
Browse files Browse the repository at this point in the history 
…kyverno#10205)

Signed-off-by: Mariam Fahmy <[email protected]>
  • Loading branch information
@MariamFahmy98
MariamFahmy98 authored May 10, 2024
1 parent 6fec524 commit 900bf48
Show file tree
Hide file tree
Showing 7 changed files with 105 additions and 0 deletions.
6 changes: 6 additions & 0 deletions pkg/validatingadmissionpolicy/kyvernopolicy_checker.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,12 @@ func checkResources(resource kyvernov1.ResourceDescription) (bool, string) {
return false, msg
}
}
for _, ns := range resource.Namespaces {
if wildcard.ContainsWildcard(ns) {
msg = "skip generating ValidatingAdmissionPolicy: wildcards in namespace name is not applicable."
return false, msg
}
}
return true, msg
}

Expand Down
34 changes: 34 additions & 0 deletions pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,40 @@ func Test_Check_Resources(t *testing.T) {
`),
expected: true,
},
{
name: "namespaces-with-wildcards",
resource: []byte(`
{
"kinds": [
"Service"
],
"namespaces": [
"prod-*"
],
"operations": [
"CREATE"
]
}
`),
expected: false,
},
{
name: "resource-names-with-wildcards",
resource: []byte(`
{
"kinds": [
"Service"
],
"names": [
"svc-*"
],
"operations": [
"CREATE"
]
}
`),
expected: false,
},
{
name: "resource-with-annotations",
resource: []byte(`
Expand Down
19 changes: 19 additions & 0 deletions ...ard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
creationTimestamp: null
name: cpol-any-match-resources-in-namespaces-with-wildcard
spec:
steps:
- name: step-01
try:
- apply:
file: policy.yaml
- assert:
file: policy-assert.yaml
- name: step-02
try:
- error:
file: validatingadmissionpolicy.yaml
- error:
file: validatingadmissionpolicybinding.yaml
12 changes: 12 additions & 0 deletions ...ard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app-5
status:
conditions:
- reason: Succeeded
status: "True"
type: Ready
validatingadmissionpolicy:
generated: false

20 changes: 20 additions & 0 deletions ...y/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-label-app-5
spec:
validationFailureAction: Audit
rules:
- name: check-label-app
match:
any:
- resources:
kinds:
- Pod
namespaces:
- "prod-*"
- "staging"
validate:
cel:
expressions:
- expression: "'app' in object.metadata.labels"
7 changes: 7 additions & 0 deletions ...erate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app-5
spec: {}
7 changes: 7 additions & 0 deletions ...pol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicyBinding
metadata:
labels:
app.kubernetes.io/managed-by: kyverno
name: check-label-app-5-binding
spec: {}

0 comments on commit 900bf48

Please sign in to comment.