From df4d7ae26c2acba81f0af6953417f9decac2748c Mon Sep 17 00:00:00 2001 From: Anushka Mittal <55237170+anushkamittal20@users.noreply.github.com> Date: Thu, 20 Jan 2022 13:59:16 +0530 Subject: [PATCH] Broken exclude any all (#2990) * added check for any/all Signed-off-by: anushkamittal20 * minor corrections Signed-off-by: anushkamittal20 * corrected return check for rbac info Signed-off-by: anushkamittal20 * added cli test Signed-off-by: anushkamittal20 Co-authored-by: Jim Bugwadia --- pkg/webhooks/common.go | 4 ++- .../test-fail/invalid-ns/kyverno-test.yaml | 11 ++++++ test/cli/test-fail/invalid-ns/policy.yaml | 35 +++++++++++++++++++ test/cli/test-fail/invalid-ns/resources.yaml | 8 +++++ 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 test/cli/test-fail/invalid-ns/kyverno-test.yaml create mode 100644 test/cli/test-fail/invalid-ns/policy.yaml create mode 100644 test/cli/test-fail/invalid-ns/resources.yaml diff --git a/pkg/webhooks/common.go b/pkg/webhooks/common.go index 271d48eb616e..65f2b7dbc11f 100644 --- a/pkg/webhooks/common.go +++ b/pkg/webhooks/common.go @@ -117,7 +117,9 @@ func containsRBACInfo(policies ...[]*kyverno.ClusterPolicy) bool { for _, policySlice := range policies { for _, policy := range policySlice { for _, rule := range policy.Spec.Rules { - checkForRBACInfo(rule) + if checkForRBACInfo(rule) { + return true + } } } } diff --git a/test/cli/test-fail/invalid-ns/kyverno-test.yaml b/test/cli/test-fail/invalid-ns/kyverno-test.yaml new file mode 100644 index 000000000000..d27f490f8e71 --- /dev/null +++ b/test/cli/test-fail/invalid-ns/kyverno-test.yaml @@ -0,0 +1,11 @@ +name: test-exclude +policies: + - policy.yaml +resources: + - resources.yaml +results: + - policy: restrict-labels + rule: restrict-labels + resource: kyverno-system-tst + kind: Namespace + result: fail diff --git a/test/cli/test-fail/invalid-ns/policy.yaml b/test/cli/test-fail/invalid-ns/policy.yaml new file mode 100644 index 000000000000..2d03751e7548 --- /dev/null +++ b/test/cli/test-fail/invalid-ns/policy.yaml @@ -0,0 +1,35 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: restrict-labels + labels: + policy.schiff.telekom.de: enforced + annotations: + policies.kyverno.io/title: Restrict Labels on Namespaces + policies.kyverno.io/category: Labels + policies.kyverno.io/minversion: 1.3.0 + policies.kyverno.io/description: >- + This policy prevents the use of an label beginning with a common + key name (in this case "platform.das-schiff.telekom.de/owner | owner"). This can be useful to ensure users either + don't set reserved labels or to force them to + use a newer version of an label. +spec: + validationFailureAction: enforce + background: false + rules: + - name: restrict-labels + match: + resources: + kinds: + - Namespace + exclude: + clusterRoles: + - cluster-admin + validate: + message: 'Every namespace has to have `platform.das-schiff.telekom.de/owner` label. It must not have value `das-schiff` which is reserved for system namespaces' + pattern: + metadata: + labels: + platform.das-schiff.telekom.de/owner: "!das-schiff" + # For forward compatibility + =(schiff.telekom.de/owner): "!schiff" \ No newline at end of file diff --git a/test/cli/test-fail/invalid-ns/resources.yaml b/test/cli/test-fail/invalid-ns/resources.yaml new file mode 100644 index 000000000000..c51350cc7aeb --- /dev/null +++ b/test/cli/test-fail/invalid-ns/resources.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kyverno-system-tst + labels: + name: kyverno-system-tst + schiff.telekom.de/owner: schiff + platform.das-schiff.telekom.de/owner: das-schiff \ No newline at end of file