add request.namespace in the background process

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
kyverno · Feb 23, 2021 · d770d66 · d770d66
1 parent 17c72c1
commit d770d66
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/pkg/engine/context/context.go b/pkg/engine/context/context.go
@@ -28,6 +28,9 @@ type Interface interface {
 	// AddServiceAccount merges ServiceAccount types
 	AddServiceAccount(userName string) error
 
+	// AddNamespace merges resource json under request.namespace
+	AddNamespace(namespace string) error
+
 	EvalInterface
 }
 
@@ -190,6 +193,27 @@ func (ctx *Context) AddServiceAccount(userName string) error {
 	return nil
 }
 
+// AddNamespace merges resource json under request.namespace
+func (ctx *Context) AddNamespace(namespace string) error {
+	modifiedResource := struct {
+		Request interface{} `json:"request"`
+	}{
+		Request: struct {
+			Namespace string `json:"namespace"`
+		}{
+			Namespace: namespace,
+		},
+	}
+
+	objRaw, err := json.Marshal(modifiedResource)
+	if err != nil {
+		ctx.log.Error(err, "failed to marshal the resource")
+		return err
+	}
+
+	return ctx.AddJSON(objRaw)
+}
+
 // Checkpoint creates a copy of the internal state.
 // Prior checkpoints will be overridden.
 func (ctx *Context) Checkpoint() {

diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go
@@ -42,7 +42,12 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 	ctx := context.NewContext()
 	err = ctx.AddResource(transformResource(resource))
 	if err != nil {
-		logger.Error(err, "enable to add transform resource to ctx")
+		logger.Error(err, "failed to add transform resource to ctx")
+	}
+
+	err = ctx.AddNamespace(resource.GetNamespace())
+	if err != nil {
+		logger.Error(err, "failed to add namespace to ctx")
 	}
 
 	engineResponseMutation, err = mutation(policy, resource, logger, resCache, ctx, namespaceLabels)

diff --git a/pkg/policy/background.go b/pkg/policy/background.go
@@ -21,7 +21,7 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 			return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path)
 		}
 
-		filterVars := []string{"request.object"}
+		filterVars := []string{"request.object", "request.namespace"}
 		ctx := context.NewContext(filterVars...)
 
 		for contextIdx, contextEntry := range rule.Context {