From 752185c5af3c89ccff5c61c7aa13b1a9f7890914 Mon Sep 17 00:00:00 2001 From: treydock Date: Wed, 19 Jul 2023 09:40:31 -0400 Subject: [PATCH 1/9] Add nodeSelector for cleanupJob CronJob resources (#7851) Fixes #7826 Signed-off-by: Trey Dockendorf --- charts/kyverno/Chart.yaml | 2 ++ charts/kyverno/README.md | 2 ++ charts/kyverno/ci/cleanupJobs-values.yaml | 7 +++++++ .../templates/cleanup/cleanup-admission-reports.yaml | 4 ++++ .../cleanup/cleanup-cluster-admission-reports.yaml | 4 ++++ charts/kyverno/values.yaml | 6 ++++++ 6 files changed, 25 insertions(+) create mode 100644 charts/kyverno/ci/cleanupJobs-values.yaml diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 144612d2a279..fd9271af76b7 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -50,3 +50,5 @@ annotations: description: change to enable webhook cleanup hook by default - kind: added description: allow pod labels for cleanup jobs + - kind: added + description: allow nodeSelector for cleanup jobs diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index 2c41c5ca7f97..70ec046af049 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -650,6 +650,7 @@ The chart values are organised per component. | cleanupJobs.admissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | cleanupJobs.admissionReports.resources | object | `{}` | Job resources | | cleanupJobs.admissionReports.tolerations | list | `[]` | List of node taints to tolerate | +| cleanupJobs.admissionReports.nodeSelector | object | `{}` | Node labels for pod assignment | | cleanupJobs.admissionReports.podAnnotations | object | `{}` | Pod Annotations | | cleanupJobs.admissionReports.podLabels | object | `{}` | Pod labels | | cleanupJobs.clusterAdmissionReports.enabled | bool | `true` | Enable cleanup cronjob | @@ -665,6 +666,7 @@ The chart values are organised per component. | cleanupJobs.clusterAdmissionReports.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers | | cleanupJobs.clusterAdmissionReports.resources | object | `{}` | Job resources | | cleanupJobs.clusterAdmissionReports.tolerations | list | `[]` | List of node taints to tolerate | +| cleanupJobs.clusterAdmissionReports.nodeSelector | object | `{}` | Node labels for pod assignment | | cleanupJobs.clusterAdmissionReports.podAnnotations | object | `{}` | Pod Annotations | | cleanupJobs.clusterAdmissionReports.podLabels | object | `{}` | Pod Labels | diff --git a/charts/kyverno/ci/cleanupJobs-values.yaml b/charts/kyverno/ci/cleanupJobs-values.yaml new file mode 100644 index 000000000000..61e7e170250e --- /dev/null +++ b/charts/kyverno/ci/cleanupJobs-values.yaml @@ -0,0 +1,7 @@ +cleanupJobs: + admissionReports: + nodeSelector: + kubernetes.io/os: linux + clusterAdmissionReports: + nodeSelector: + kubernetes.io/os: linux diff --git a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml index 8092722e7bde..cbe4a56c7c78 100644 --- a/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml +++ b/charts/kyverno/templates/cleanup/cleanup-admission-reports.yaml @@ -61,4 +61,8 @@ spec: tolerations: {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} + {{- with .Values.cleanupJobs.admissionReports.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- end -}} diff --git a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml b/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml index dc507b57fe81..52c1ce7234c6 100644 --- a/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml +++ b/charts/kyverno/templates/cleanup/cleanup-cluster-admission-reports.yaml @@ -61,4 +61,8 @@ spec: tolerations: {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} + {{- with .Values.cleanupJobs.clusterAdmissionReports.nodeSelector }} + nodeSelector: + {{- tpl (toYaml .) $ | nindent 12 }} + {{- end }} {{- end -}} diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index a01f0f405bfc..ea1909280429 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -448,6 +448,9 @@ cleanupJobs: # -- List of node taints to tolerate tolerations: [] + # -- Node labels for pod assignment + nodeSelector: {} + # -- Pod Annotations podAnnotations: {} @@ -507,6 +510,9 @@ cleanupJobs: # -- List of node taints to tolerate tolerations: [] + # -- Node labels for pod assignment + nodeSelector: {} + # -- Pod Annotations podAnnotations: {} From 7647a1632dd6af71ff35d001edaff88e874a0708 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Wed, 19 Jul 2023 17:23:42 +0100 Subject: [PATCH 2/9] fix type confusion in policy validation (#7857) Signed-off-by: AdamKorcz --- pkg/validation/policy/validate.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/pkg/validation/policy/validate.go b/pkg/validation/policy/validate.go index 250ec452c322..d16a87785d6a 100644 --- a/pkg/validation/policy/validate.go +++ b/pkg/validation/policy/validate.go @@ -491,11 +491,19 @@ func cleanup(policy kyvernov1.PolicyInterface) kyvernov1.PolicyInterface { policy.SetAnnotations(ann) } if policy.GetNamespace() == "" { - pol := policy.(*kyvernov1.ClusterPolicy) + var pol *kyvernov1.ClusterPolicy + var ok bool + if pol, ok = policy.(*kyvernov1.ClusterPolicy); !ok { + return policy + } pol.Status.Autogen.Rules = nil return pol } else { - pol := policy.(*kyvernov1.Policy) + var pol *kyvernov1.Policy + var ok bool + if pol, ok = policy.(*kyvernov1.Policy); !ok { + return policy + } pol.Status.Autogen.Rules = nil return pol } From acf3729354ccda9ed67b4758ce30d96a83bbb704 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 20 Jul 2023 00:54:33 +0800 Subject: [PATCH 3/9] feat: enable operator boolean comparison (#7847) * feat: enable operator boolean comparison Signed-off-by: ShutingZhao * Test: add kuttl test Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/engine/variables/operator/allin.go | 2 +- pkg/engine/variables/operator/allnotin.go | 2 +- pkg/engine/variables/operator/anyin.go | 2 +- pkg/engine/variables/operator/anynotin.go | 2 +- pkg/engine/variables/operator/in.go | 2 +- pkg/engine/variables/operator/notin.go | 2 +- .../operator-anyin-boolean/01-policy.yaml | 32 +++++++++++++++++++ .../operator-anyin-boolean/02-assert.yaml | 9 ++++++ .../operator-anyin-boolean/03-pod-fail.yaml | 5 +++ .../enforce/operator-anyin-boolean/README.md | 12 +++++++ .../enforce/operator-anyin-boolean/pod.yaml | 29 +++++++++++++++++ 11 files changed, 93 insertions(+), 6 deletions(-) create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml diff --git a/pkg/engine/variables/operator/allin.go b/pkg/engine/variables/operator/allin.go index b45f26b54b50..7ecb7c877bd0 100644 --- a/pkg/engine/variables/operator/allin.go +++ b/pkg/engine/variables/operator/allin.go @@ -29,7 +29,7 @@ func (allin AllInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return allin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return allin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/allnotin.go b/pkg/engine/variables/operator/allnotin.go index acbd971b438b..c149ac37914f 100644 --- a/pkg/engine/variables/operator/allnotin.go +++ b/pkg/engine/variables/operator/allnotin.go @@ -26,7 +26,7 @@ func (allnin AllNotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return allnin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return allnin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/anyin.go b/pkg/engine/variables/operator/anyin.go index ba32794fbf20..87777b65f950 100644 --- a/pkg/engine/variables/operator/anyin.go +++ b/pkg/engine/variables/operator/anyin.go @@ -31,7 +31,7 @@ func (anyin AnyInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return anyin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return anyin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/anynotin.go b/pkg/engine/variables/operator/anynotin.go index 56e9f0499414..7988c43dd519 100644 --- a/pkg/engine/variables/operator/anynotin.go +++ b/pkg/engine/variables/operator/anynotin.go @@ -26,7 +26,7 @@ func (anynin AnyNotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return anynin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return anynin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/in.go b/pkg/engine/variables/operator/in.go index 12993c2011d4..087319384632 100644 --- a/pkg/engine/variables/operator/in.go +++ b/pkg/engine/variables/operator/in.go @@ -30,7 +30,7 @@ func (in InHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return in.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return in.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/pkg/engine/variables/operator/notin.go b/pkg/engine/variables/operator/notin.go index 0549b9ae29b3..bf52ef45721b 100644 --- a/pkg/engine/variables/operator/notin.go +++ b/pkg/engine/variables/operator/notin.go @@ -28,7 +28,7 @@ func (nin NotInHandler) Evaluate(key, value interface{}) bool { switch typedKey := key.(type) { case string: return nin.validateValueWithStringPattern(typedKey, value) - case int, int32, int64, float32, float64: + case int, int32, int64, float32, float64, bool: return nin.validateValueWithStringPattern(fmt.Sprint(typedKey), value) case []interface{}: var stringSlice []string diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml new file mode 100644 index 000000000000..6bf3852832a7 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/01-policy.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol + # annotations: + # pod-policies.kyverno.io/autogen-controllers: none +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-commands + match: + any: + - resources: + kinds: + - Pod + preconditions: + all: + - key: "{{ length(request.object.spec.containers[].livenessProbe.exec.command[] || `[]`) }}" + operator: GreaterThan + value: 0 + - key: "{{ request.operation }}" + operator: NotEquals + value: DELETE + validate: + message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. + deny: + conditions: + any: + - key: true + operator: AnyIn + value: "{{ request.object.spec.containers[].livenessProbe.exec.command[].regex_match('\\bjcmd\\b',@) }}" \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml new file mode 100644 index 000000000000..7e920d352757 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/02-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: operator-anyin-boolean-cpol +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml new file mode 100644 index 000000000000..e0222cdb8936 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/03-pod-fail.yaml @@ -0,0 +1,5 @@ +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +apply: + - file: pod.yaml + shouldFail: true \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md new file mode 100644 index 000000000000..a18f638bb5b7 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/README.md @@ -0,0 +1,12 @@ +## Description + +This test mainly verifies that the operator AllIn work properly with the boolean comparison. + +## Expected Behavior + +1. The clusterpolicy is created correctly. +2. Failed to create resources in because the deny condition is true. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7045 diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml new file mode 100644 index 000000000000..ee459edcfd3e --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/operator-anyin-boolean/pod.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: operator-anyin-boolean-pod +spec: + containers: + - name: container01 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - jcmd | grep Main + - name: container02 + image: czjunkfoo + - name: container03 + image: czjunkfoo + livenessProbe: + httpGet: + port: 8080 + - name: container04 + image: czjunkfoo + livenessProbe: + exec: + command: + - /bin/sh + - -c + - cat | ls -l \ No newline at end of file From c2a9993d8c5534c9878e56524758929569da23cd Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 20 Jul 2023 11:48:29 +0800 Subject: [PATCH 4/9] fix: ignore tekton/pipeline (#7858) Signed-off-by: ShutingZhao --- .nancy-ignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.nancy-ignore b/.nancy-ignore index 9dbef633ad43..82ba1f458574 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -22,3 +22,5 @@ CVE-2021-28235 until=2023-07-31 CVE-2023-0296 until=2023-07-31 # golang/k8s.io/apiserver@v0.27.3 CVE-2020-8561 until=2023-07-31 +# golang/github.com/tektoncd/pipeline@v0.44.0 +CVE-2023-37264 until=2023-07-31 From f5ef5ca24ea041465b6a5fd3e1ccd94b302c49cb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 16:38:25 +0800 Subject: [PATCH 5/9] chore(deps): bump k8s.io/cli-runtime from 0.27.3 to 0.27.4 (#7864) Bumps [k8s.io/cli-runtime](https://github.com/kubernetes/cli-runtime) from 0.27.3 to 0.27.4. - [Commits](https://github.com/kubernetes/cli-runtime/compare/v0.27.3...v0.27.4) --- updated-dependencies: - dependency-name: k8s.io/cli-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 18 +++++++++--------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index 547e534a6ab3..cb5db9d667b4 100644 --- a/go.mod +++ b/go.mod @@ -66,12 +66,12 @@ require ( gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 gotest.tools v2.2.0+incompatible - k8s.io/api v0.27.3 + k8s.io/api v0.27.4 k8s.io/apiextensions-apiserver v0.27.3 - k8s.io/apimachinery v0.27.3 + k8s.io/apimachinery v0.27.4 k8s.io/apiserver v0.27.3 - k8s.io/cli-runtime v0.27.3 - k8s.io/client-go v0.27.3 + k8s.io/cli-runtime v0.27.4 + k8s.io/client-go v0.27.4 k8s.io/klog/v2 v2.100.1 k8s.io/kube-aggregator v0.27.3 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f diff --git a/go.sum b/go.sum index a0ca108360e0..91a944fb56cd 100644 --- a/go.sum +++ b/go.sum @@ -1217,7 +1217,7 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -2128,26 +2128,26 @@ honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo= k8s.io/api v0.20.2/go.mod h1:d7n6Ehyzx+S+cE3VhTGfVNNqtGc/oL9DCdYYahlurV8= -k8s.io/api v0.27.3 h1:yR6oQXXnUEBWEWcvPWS0jQL575KoAboQPfJAuKNrw5Y= -k8s.io/api v0.27.3/go.mod h1:C4BNvZnQOF7JA/0Xed2S+aUyJSfTGkGFxLXz9MnpIpg= +k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= +k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk= k8s.io/apiextensions-apiserver v0.20.2/go.mod h1:F6TXp389Xntt+LUq3vw6HFOLttPa0V8821ogLGwb6Zs= k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.2/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= -k8s.io/apimachinery v0.27.3 h1:Ubye8oBufD04l9QnNtW05idcOe9Z3GQN8+7PqmuVcUM= -k8s.io/apimachinery v0.27.3/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= +k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA= k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4= k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA= -k8s.io/cli-runtime v0.27.3 h1:h592I+2eJfXj/4jVYM+tu9Rv8FEc/dyCoD80UJlMW2Y= -k8s.io/cli-runtime v0.27.3/go.mod h1:LzXud3vFFuDFXn2LIrWnscPgUiEj7gQQcYZE2UPn9Kw= +k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto= +k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.2/go.mod h1:kH5brqWqp7HDxUFKoEgiI4v8G1xzbe9giaCenUWJzgE= -k8s.io/client-go v0.27.3 h1:7dnEGHZEJld3lYwxvLl7WoehK6lAq7GvgjxpA3nv1E8= -k8s.io/client-go v0.27.3/go.mod h1:2MBEKuTo6V1lbKy3z1euEGnhPfGZLKTS9tiJ2xodM48= +k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= +k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= From 5a8caaf4feb6a1fece7c85089f92a7b87502a409 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 09:21:17 +0000 Subject: [PATCH 6/9] chore(deps): bump go.uber.org/automaxprocs from 1.5.2 to 1.5.3 (#7868) Bumps [go.uber.org/automaxprocs](https://github.com/uber-go/automaxprocs) from 1.5.2 to 1.5.3. - [Release notes](https://github.com/uber-go/automaxprocs/releases) - [Changelog](https://github.com/uber-go/automaxprocs/blob/master/CHANGELOG.md) - [Commits](https://github.com/uber-go/automaxprocs/compare/v1.5.2...v1.5.3) --- updated-dependencies: - dependency-name: go.uber.org/automaxprocs dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index cb5db9d667b4..6b3eb9eca604 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( go.opentelemetry.io/otel/sdk v1.16.0 go.opentelemetry.io/otel/sdk/metric v0.39.0 go.opentelemetry.io/otel/trace v1.16.0 - go.uber.org/automaxprocs v1.5.2 + go.uber.org/automaxprocs v1.5.3 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.24.0 golang.org/x/crypto v0.11.0 diff --git a/go.sum b/go.sum index 91a944fb56cd..a1ae41f1a6ce 100644 --- a/go.sum +++ b/go.sum @@ -1502,8 +1502,8 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/automaxprocs v1.4.0/go.mod h1:/mTEdr7LvHhs0v7mjdxDreTz1OG5zdZGqgOnhWiR/+Q= -go.uber.org/automaxprocs v1.5.2 h1:2LxUOGiR3O6tw8ui5sZa2LAaHnsviZdVOUZw4fvbnME= -go.uber.org/automaxprocs v1.5.2/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= +go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= +go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A= go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= From 537612b609a5dfd616aa2795a5874c7e038f7294 Mon Sep 17 00:00:00 2001 From: shuting Date: Thu, 20 Jul 2023 18:34:07 +0800 Subject: [PATCH 7/9] fix: namespace label matching for Namespace (#7837) * Feat: namespaceLabel matching for ns Signed-off-by: ShutingZhao * Fix: update kuttl tests Signed-off-by: ShutingZhao --------- Signed-off-by: ShutingZhao --- pkg/engine/utils/match.go | 19 +++++++++++-------- .../{02-policy.yaml => 01-policy.yaml} | 0 .../{01-ns.yaml => 02-ns.yaml} | 0 .../04-clusterrole.yaml | 13 +++++++++++++ .../05-delete-ns.yaml | 7 +++++++ .../06-delete-clulsterrole.yaml | 7 +++++++ .../ns-selector-with-wildcard-kind/README.md | 3 ++- 7 files changed, 40 insertions(+), 9 deletions(-) rename test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/{02-policy.yaml => 01-policy.yaml} (100%) rename test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/{01-ns.yaml => 02-ns.yaml} (100%) create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml create mode 100644 test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml diff --git a/pkg/engine/utils/match.go b/pkg/engine/utils/match.go index 073c888ec597..239cabb5e218 100644 --- a/pkg/engine/utils/match.go +++ b/pkg/engine/utils/match.go @@ -115,14 +115,17 @@ func doesResourceMatchConditionBlock( } } - if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && - (resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind())) { - hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels) - if err != nil { - errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err)) - } else { - if !hasPassed { - errs = append(errs, fmt.Errorf("namespace selector does not match labels")) + if conditionBlock.NamespaceSelector != nil { + if resource.GetKind() == "Namespace" { + errs = append(errs, fmt.Errorf("namespace selector is not applicable for namespace resource")) + } else if resource.GetKind() != "" || slices.Contains(conditionBlock.Kinds, "*") && wildcard.Match("*", resource.GetKind()) { + hasPassed, err := matchutils.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels) + if err != nil { + errs = append(errs, fmt.Errorf("failed to parse namespace selector: %v", err)) + } else { + if !hasPassed { + errs = append(errs, fmt.Errorf("namespace selector does not match labels")) + } } } } diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml similarity index 100% rename from test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-policy.yaml rename to test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-policy.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml similarity index 100% rename from test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/01-ns.yaml rename to test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/02-ns.yaml diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml new file mode 100644 index 000000000000..c87165f23baf --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/04-clusterrole.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-reader-fake +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml new file mode 100644 index 000000000000..f477c32beef7 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/05-delete-ns.yaml @@ -0,0 +1,7 @@ +# Specifying the kind as `TestStep` performs certain behaviors like this delete operation. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: v1 + kind: Namespace + name: test-wildcard diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml new file mode 100644 index 000000000000..18915c7ff082 --- /dev/null +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/06-delete-clulsterrole.yaml @@ -0,0 +1,7 @@ +# Specifying the kind as `TestStep` performs certain behaviors like this delete operation. +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + name: pod-reader-fake diff --git a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md index 40377d9fae45..5057c54da75b 100644 --- a/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md +++ b/test/conformance/kuttl/validate/clusterpolicy/standard/enforce/ns-selector-with-wildcard-kind/README.md @@ -9,4 +9,5 @@ The pod `test-validate/nginx-block` is blocked, and the pod `default/nginx-pass` ## Reference Issue(s) -https://github.com/kyverno/kyverno/issues/6015 \ No newline at end of file +https://github.com/kyverno/kyverno/issues/6015 +https://github.com/kyverno/kyverno/issues/7771 \ No newline at end of file From f905f90422f6a02b7e3260fa85d5bb46583098b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Jul 2023 13:48:19 +0000 Subject: [PATCH 8/9] chore(deps): bump k8s.io/kube-aggregator from 0.27.3 to 0.27.4 (#7865) Bumps [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) from 0.27.3 to 0.27.4. - [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.27.3...v0.27.4) --- updated-dependencies: - dependency-name: k8s.io/kube-aggregator dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: shuting Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 6b3eb9eca604..a0462c79d04e 100644 --- a/go.mod +++ b/go.mod @@ -69,11 +69,11 @@ require ( k8s.io/api v0.27.4 k8s.io/apiextensions-apiserver v0.27.3 k8s.io/apimachinery v0.27.4 - k8s.io/apiserver v0.27.3 + k8s.io/apiserver v0.27.4 k8s.io/cli-runtime v0.27.4 k8s.io/client-go v0.27.4 k8s.io/klog/v2 v2.100.1 - k8s.io/kube-aggregator v0.27.3 + k8s.io/kube-aggregator v0.27.4 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f k8s.io/pod-security-admission v0.27.3 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 @@ -329,7 +329,7 @@ require ( gopkg.in/square/go-jose.v2 v2.6.0 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect - k8s.io/component-base v0.27.3 // indirect + k8s.io/component-base v0.27.4 // indirect k8s.io/kubectl v0.26.3 // indirect oras.land/oras-go/v2 v2.2.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index a1ae41f1a6ce..305add38ae0d 100644 --- a/go.sum +++ b/go.sum @@ -2140,8 +2140,8 @@ k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.2/go.mod h1:2nKd93WyMhZx4Hp3RfgH2K5PhwyTrprrkWYnI7id7jA= -k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4= -k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA= +k8s.io/apiserver v0.27.4 h1:ncZ0MBR9yQ/Gf34rtu1EK+HqT8In1YpfAUINu/Akvho= +k8s.io/apiserver v0.27.4/go.mod h1:GDEFRfFZ4/l+pAvwYRnoSfz0K4j3TWiN4WsG2KnRteE= k8s.io/cli-runtime v0.27.4 h1:Zb0eci+58eHZNnoHhjRFc7W88s8dlG12VtIl3Nv2Hto= k8s.io/cli-runtime v0.27.4/go.mod h1:k9Z1xiZq2xNplQmehpDquLgc+rE+pubpO1cK4al4Mlw= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= @@ -2152,8 +2152,8 @@ k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbW k8s.io/code-generator v0.20.2/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= k8s.io/component-base v0.20.2/go.mod h1:pzFtCiwe/ASD0iV7ySMu8SYVJjCapNM9bjvk7ptpKh0= -k8s.io/component-base v0.27.3 h1:g078YmdcdTfrCE4fFobt7qmVXwS8J/3cI1XxRi/2+6k= -k8s.io/component-base v0.27.3/go.mod h1:JNiKYcGImpQ44iwSYs6dysxzR9SxIIgQalk4HaCNVUY= +k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c= +k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= @@ -2162,8 +2162,8 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.8.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-aggregator v0.27.3 h1:0o/Q30C84hHvhUef7OOTHMhO2eCySOPHKOUUrhBwpfo= -k8s.io/kube-aggregator v0.27.3/go.mod h1:zbx67NbFee9cqjbXjib89/oOyrXdOq3UYStIBGazv08= +k8s.io/kube-aggregator v0.27.4 h1:WdK9iiBr32G8bWfpUEFVQl70RZO2dU19ZAktUXL5JFc= +k8s.io/kube-aggregator v0.27.4/go.mod h1:+eG83gkAyh0uilQEAOgheeQW4hr+PkyV+5O1nLGsjlM= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= k8s.io/kube-openapi v0.0.0-20210305001622-591a79e4bda7/go.mod h1:wXW5VT87nVfh/iLV8FpR2uDvrFyomxbtb1KivDbvPTE= k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= From 69cb254e5327700c158c5fcdbfda4e7be1bab049 Mon Sep 17 00:00:00 2001 From: shuting Date: Fri, 21 Jul 2023 06:02:27 +0800 Subject: [PATCH 9/9] feat: skip schema validation for CRD (#7869) Signed-off-by: ShutingZhao --- pkg/openapi/manager.go | 13 +++++- .../schema-validation-crd/01-policy.yaml | 42 +++++++++++++++++++ .../schema-validation-crd/README.md | 11 +++++ .../schema-validation-crd/policy-assert.yaml | 9 ++++ 4 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/README.md create mode 100644 test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml diff --git a/pkg/openapi/manager.go b/pkg/openapi/manager.go index 6b4bec185312..ffb22b3e0a2c 100644 --- a/pkg/openapi/manager.go +++ b/pkg/openapi/manager.go @@ -133,11 +133,20 @@ func (o *manager) ValidatePolicyMutation(policy kyvernov1.PolicyInterface) error } for kind, rules := range kindToRules { + if kind == "CustomResourceDefinition" { + continue + } newPolicy := policy.CreateDeepCopy() spec := newPolicy.GetSpec() spec.SetRules(rules) - k, _ := o.gvkToDefinitionName.Get(kind) - d, _ := o.definitions.Get(k) + k, ok := o.gvkToDefinitionName.Get(kind) + if !ok { + continue + } + d, ok := o.definitions.Get(k) + if !ok { + continue + } resource, _ := o.generateEmptyResource(d).(map[string]interface{}) if len(resource) == 0 { o.logger.V(2).Info("unable to validate resource. OpenApi definition not found", "kind", kind) diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml new file mode 100644 index 000000000000..82e282409a6f --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/01-policy.yaml @@ -0,0 +1,42 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Security + policies.kyverno.io/description: 'This policy mutates any namespace-scoped Custom + Resource Definition created by the subjects in the xteam Azure AD group + and adds the label "createdByXteam: true".' + policies.kyverno.io/subject: RBAC + policies.kyverno.io/title: Mutate Namespace-Scoped CRDs for xteam aad + group + policy.reporter.kyverno.io/minimal: minimal + generation: 1 + labels: + aws.cdk.eks/prune-c8b5941ff5f4fe911c5ee96472fda3d1f9866734a7: "" + name: mutate-xteam-namespace-scoped-crds +spec: + background: false + rules: + - match: + all: + - resources: + kinds: + - CustomResourceDefinition + subjects: + - kind: Group + name: aad:9b9had99-6k66-2222-9999-8aadb888e888 + mutate: + patchStrategicMerge: + metadata: + labels: + createdByXteam: "true" + name: mutate-xteams-crd-creation + preconditions: + all: + - key: '{{request.operation}}' + operator: Equals + value: CREATE + - key: '{{ request.object.spec.scope }}' + operator: Equals + value: Namespaced + validationFailureAction: audit \ No newline at end of file diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/README.md b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/README.md new file mode 100644 index 000000000000..23f9175f807e --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/README.md @@ -0,0 +1,11 @@ +## Description + +This test ensures the schema validation is skipped for CustomResourceDefinition. + +## Expected Behavior + +The Pod creation should be allowed. + +## Reference Issue(s) + +https://github.com/kyverno/kyverno/issues/7844 diff --git a/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml new file mode 100644 index 000000000000..45ad7ff3a795 --- /dev/null +++ b/test/conformance/kuttl/policy-validation/cluster-policy/schema-validation-crd/policy-assert.yaml @@ -0,0 +1,9 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: mutate-xteam-namespace-scoped-crds +status: + conditions: + - reason: Succeeded + status: "True" + type: Ready \ No newline at end of file