diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go index 73d727b4c407..710f1303d917 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker.go @@ -104,6 +104,12 @@ func checkResources(resource kyvernov1.ResourceDescription) (bool, string) { return false, msg } } + for _, ns := range resource.Namespaces { + if wildcard.ContainsWildcard(ns) { + msg = "skip generating ValidatingAdmissionPolicy: wildcards in namespace name is not applicable." + return false, msg + } + } return true, msg } diff --git a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go index 2f8cfa8d288c..957994639f87 100644 --- a/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go +++ b/pkg/validatingadmissionpolicy/kyvernopolicy_checker_test.go @@ -32,6 +32,40 @@ func Test_Check_Resources(t *testing.T) { `), expected: true, }, + { + name: "namespaces-with-wildcards", + resource: []byte(` +{ + "kinds": [ + "Service" + ], + "namespaces": [ + "prod-*" + ], + "operations": [ + "CREATE" + ] +} +`), + expected: false, + }, + { + name: "resource-names-with-wildcards", + resource: []byte(` +{ + "kinds": [ + "Service" + ], + "names": [ + "svc-*" + ], + "operations": [ + "CREATE" + ] +} +`), + expected: false, + }, { name: "resource-with-annotations", resource: []byte(` diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml new file mode 100755 index 000000000000..28276afd492f --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/chainsaw-test.yaml @@ -0,0 +1,19 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: cpol-any-match-resources-in-namespaces-with-wildcard +spec: + steps: + - name: step-01 + try: + - apply: + file: policy.yaml + - assert: + file: policy-assert.yaml + - name: step-02 + try: + - error: + file: validatingadmissionpolicy.yaml + - error: + file: validatingadmissionpolicybinding.yaml diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml new file mode 100644 index 000000000000..3835a186ef6d --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy-assert.yaml @@ -0,0 +1,12 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app-5 +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready + validatingadmissionpolicy: + generated: false + \ No newline at end of file diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml new file mode 100644 index 000000000000..a7f82795eff0 --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/policy.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-label-app-5 +spec: + validationFailureAction: Audit + rules: + - name: check-label-app + match: + any: + - resources: + kinds: + - Pod + namespaces: + - "prod-*" + - "staging" + validate: + cel: + expressions: + - expression: "'app' in object.metadata.labels" diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml new file mode 100644 index 000000000000..1b40655b15aa --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicy.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app-5 +spec: {} diff --git a/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml new file mode 100644 index 000000000000..7ad04f9c8e2e --- /dev/null +++ b/test/conformance/chainsaw/generate-validating-admission-policy/clusterpolicy/standard/skip-generate/cpol-any-match-resources-in-namespaces-with-wildcard/validatingadmissionpolicybinding.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + labels: + app.kubernetes.io/managed-by: kyverno + name: check-label-app-5-binding +spec: {}