forked from kyverno/kyverno
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix kyverno#1506; Resolve path reference in entire rule instead of ju…
…st pattern/overlay Signed-off-by: Max Goncharenko <kacejot@fex.net>
- Loading branch information
Showing
22 changed files
with
938 additions
and
463 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package common | ||
|
||
// CopyMap creates a full copy of the target map | ||
func CopyMap(m map[string]interface{}) map[string]interface{} { | ||
mapCopy := make(map[string]interface{}) | ||
for k, v := range m { | ||
mapCopy[k] = v | ||
} | ||
|
||
return mapCopy | ||
} | ||
|
||
// CopySlice creates a full copy of the target slice | ||
func CopySlice(s []interface{}) []interface{} { | ||
sliceCopy := make([]interface{}, len(s)) | ||
copy(sliceCopy, s) | ||
|
||
return sliceCopy | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package common | ||
|
||
import ( | ||
"testing" | ||
|
||
"gotest.tools/assert" | ||
) | ||
|
||
func Test_OriginalMapMustNotBeChanged(t *testing.T) { | ||
// no variables | ||
originalMap := map[string]interface{}{ | ||
"rsc": 3711, | ||
"r": 2138, | ||
"gri": 1908, | ||
"adg": 912, | ||
} | ||
|
||
mapCopy := CopyMap(originalMap) | ||
mapCopy["r"] = 1 | ||
|
||
assert.Equal(t, originalMap["r"], 2138) | ||
} | ||
|
||
func Test_OriginalSliceMustNotBeChanged(t *testing.T) { | ||
// no variables | ||
originalSlice := []interface{}{ | ||
3711, | ||
2138, | ||
1908, | ||
912, | ||
} | ||
|
||
sliceCopy := CopySlice(originalSlice) | ||
sliceCopy[0] = 1 | ||
|
||
assert.Equal(t, originalSlice[0], 3711) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
package engine | ||
|
||
import ( | ||
"encoding/json" | ||
"testing" | ||
|
||
kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1" | ||
"github.com/kyverno/kyverno/pkg/engine/context" | ||
"github.com/kyverno/kyverno/pkg/engine/utils" | ||
"gotest.tools/assert" | ||
) | ||
|
||
var rawPolicy = []byte(` | ||
{ | ||
"apiVersion": "kyverno.io/v1", | ||
"kind": "ClusterPolicy", | ||
"metadata": { | ||
"name": "add-label" | ||
}, | ||
"spec": { | ||
"rules": [ | ||
{ | ||
"name": "add-name-label", | ||
"match": { | ||
"resources": { | ||
"kinds": [ | ||
"Pod" | ||
] | ||
} | ||
}, | ||
"mutate": { | ||
"overlay": { | ||
"metadata": { | ||
"labels": { | ||
"appname": "{{request.object.metadata.name}}" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
] | ||
} | ||
} | ||
`) | ||
|
||
var rawResource = []byte(` | ||
{ | ||
"apiVersion": "v1", | ||
"kind": "Pod", | ||
"metadata": { | ||
"name": "check-root-user" | ||
}, | ||
"spec": { | ||
"containers": [ | ||
{ | ||
"name": "check-root-user", | ||
"image": "nginxinc/nginx-unprivileged", | ||
"securityContext": { | ||
"runAsNonRoot": true | ||
} | ||
} | ||
] | ||
} | ||
} | ||
`) | ||
|
||
func Test_ForceMutateSubstituteVars(t *testing.T) { | ||
expectedRawResource := []byte(` | ||
{ | ||
"apiVersion": "v1", | ||
"kind": "Pod", | ||
"metadata": { | ||
"name": "check-root-user", | ||
"labels": { | ||
"appname": "check-root-user" | ||
} | ||
}, | ||
"spec": { | ||
"containers": [ | ||
{ | ||
"name": "check-root-user", | ||
"image": "nginxinc/nginx-unprivileged", | ||
"securityContext": { | ||
"runAsNonRoot": true | ||
} | ||
} | ||
] | ||
} | ||
} | ||
`) | ||
|
||
var expectedResource interface{} | ||
assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource)) | ||
|
||
var policy kyverno.ClusterPolicy | ||
err := json.Unmarshal(rawPolicy, &policy) | ||
assert.NilError(t, err) | ||
|
||
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) | ||
assert.NilError(t, err) | ||
ctx := context.NewContext() | ||
err = ctx.AddResource(rawResource) | ||
assert.NilError(t, err) | ||
|
||
mutatedResource, err := ForceMutate(ctx, policy, *resourceUnstructured) | ||
assert.NilError(t, err) | ||
|
||
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) | ||
} | ||
|
||
func Test_ForceMutateSubstituteVarsWithNilContext(t *testing.T) { | ||
expectedRawResource := []byte(` | ||
{ | ||
"apiVersion": "v1", | ||
"kind": "Pod", | ||
"metadata": { | ||
"name": "check-root-user", | ||
"labels": { | ||
"appname": "placeholderValue" | ||
} | ||
}, | ||
"spec": { | ||
"containers": [ | ||
{ | ||
"name": "check-root-user", | ||
"image": "nginxinc/nginx-unprivileged", | ||
"securityContext": { | ||
"runAsNonRoot": true | ||
} | ||
} | ||
] | ||
} | ||
} | ||
`) | ||
|
||
var expectedResource interface{} | ||
assert.NilError(t, json.Unmarshal(expectedRawResource, &expectedResource)) | ||
|
||
var policy kyverno.ClusterPolicy | ||
err := json.Unmarshal(rawPolicy, &policy) | ||
assert.NilError(t, err) | ||
|
||
resourceUnstructured, err := utils.ConvertToUnstructured(rawResource) | ||
assert.NilError(t, err) | ||
|
||
mutatedResource, err := ForceMutate(nil, policy, *resourceUnstructured) | ||
assert.NilError(t, err) | ||
|
||
assert.DeepEqual(t, expectedResource, mutatedResource.UnstructuredContent()) | ||
} |
Oops, something went wrong.