Merge pull request #1846 from realshuting/background_image_properties

Enable image substitution in the background mode

pkg/policy/apply.go

@@ -50,6 +50,10 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure
 		logger.Error(err, "failed to add namespace to ctx")
 	}
 
+	if err := ctx.AddImageInfo(&resource); err != nil {
+		logger.Error(err, "unable to add image info to variables context")
+	}
+
 	engineResponseMutation, err = mutation(policy, resource, logger, resCache, ctx, namespaceLabels)
 	if err != nil {
 		logger.Error(err, "failed to process mutation rule")

pkg/policy/background.go

@@ -24,7 +24,7 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error {
 			return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path)
 		}
 
-		filterVars := []string{"request.object", "request.namespace"}
+		filterVars := []string{"request.object", "request.namespace", "images"}
 		ctx := context.NewContext(filterVars...)
 
 		for _, contextEntry := range rule.Context {

pkg/policy/background_test.go

@@ -133,5 +133,5 @@ func Test_Validation_invalid_backgroundPolicy(t *testing.T) {
 	err := json.Unmarshal(rawPolicy, &policy)
 	assert.NilError(t, err)
 	err = ContainsVariablesOtherThanObject(policy)
-	assert.Assert(t, strings.Contains(err.Error(), "variable serviceAccountName cannot be used, allowed variables: [request.object request.namespace mycm]"))
+	assert.Assert(t, strings.Contains(err.Error(), "variable serviceAccountName cannot be used, allowed variables: [request.object request.namespace images mycm]"))
 }