fix: allowed templatised values to be exempted from validation checks (…

…#1599) Signed-off-by: Yashvardhan Kukreja <yash.kukreja.98@gmail.com>
kyverno · Feb 16, 2021 · 478f32b · 478f32b
1 parent a21195f
commit 478f32b
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 1 deletion.
diff --git a/pkg/policy/validate.go b/pkg/policy/validate.go
@@ -530,7 +530,13 @@ func validateConditionValuesKeyRequestOperation(c kyverno.Condition) (string, er
 	}
 	switch reflect.TypeOf(c.Value).Kind() {
 	case reflect.String:
-		if !valuesAllowed[c.Value.(string)] {
+		valueStr := c.Value.(string)
+		// allow templatized values like {{ config-map.data.sample-key }}
+		// because they might be actually pointing to a rightful value in the provided config-map
+		if len(valueStr) >= 4 && valueStr[:2] == "{{" && valueStr[len(valueStr)-2:] == "}}" {
+			return "", nil
+		}
+		if !valuesAllowed[valueStr] {
 			return fmt.Sprintf("value: %s", c.Value.(string)), fmt.Errorf("unknown value '%s' found under the 'value' field. Only the following values are allowed: [CREATE, UPDATE, DELETE, CONNECT]", c.Value.(string))
 		}
 	case reflect.Slice:

diff --git a/pkg/policy/validate_test.go b/pkg/policy/validate_test.go
@@ -312,6 +312,54 @@ func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_ExpectedValue(
 	assert.NilError(t, err)
 }
 
+func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_RightfullyTemplatizedValue(t *testing.T) {
+	denyConditions := []byte(`
+	[
+		{
+			"key":"{{request.operation}}",
+			"operator":"Equals",
+			"value":"{{ \"ops-cm\".data.\"deny-ops\"}}"
+		},
+		{
+			"key":"{{ request.operation }}",
+			"operator":"NotEquals",
+			"value":"UPDATE"
+		}
+	]
+	`)
+
+	var dcs []kyverno.Condition
+	err := json.Unmarshal(denyConditions, &dcs)
+	assert.NilError(t, err)
+
+	_, err = validateConditions(dcs, "conditions")
+	assert.NilError(t, err)
+}
+
+func Test_Validate_DenyConditionsValuesString_KeyRequestOperation_WrongfullyTemplatizedValue(t *testing.T) {
+	denyConditions := []byte(`
+	[
+		{
+			"key":"{{request.operation}}",
+			"operator":"Equals",
+			"value":"{{ \"ops-cm\".data.\"deny-ops\" }"
+		},
+		{
+			"key":"{{ request.operation }}",
+			"operator":"NotEquals",
+			"value":"UPDATE"
+		}
+	]
+	`)
+
+	var dcs []kyverno.Condition
+	err := json.Unmarshal(denyConditions, &dcs)
+	assert.NilError(t, err)
+
+	_, err = validateConditions(dcs, "conditions")
+	assert.Assert(t, err != nil)
+}
+
 func Test_Validate_PreconditionsValuesString_KeyRequestOperation_UnknownValue(t *testing.T) {
 	preConditions := []byte(`
 	[