From 85dde7e960ff45c70e2093796b0a1824d628e96e Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 28 Apr 2021 14:21:11 -0700 Subject: [PATCH 1/2] Enable image substitution in the background mode Signed-off-by: Shuting Zhao --- pkg/policy/apply.go | 4 ++++ pkg/policy/background.go | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/policy/apply.go b/pkg/policy/apply.go index 258b1c183462..f39a4eb7c5d9 100644 --- a/pkg/policy/apply.go +++ b/pkg/policy/apply.go @@ -50,6 +50,10 @@ func applyPolicy(policy kyverno.ClusterPolicy, resource unstructured.Unstructure logger.Error(err, "failed to add namespace to ctx") } + if err := ctx.AddImageInfo(&resource); err != nil { + logger.Error(err, "unable to add image info to variables context") + } + engineResponseMutation, err = mutation(policy, resource, logger, resCache, ctx, namespaceLabels) if err != nil { logger.Error(err, "failed to process mutation rule") diff --git a/pkg/policy/background.go b/pkg/policy/background.go index 0b3620224027..af6084ee2bbd 100644 --- a/pkg/policy/background.go +++ b/pkg/policy/background.go @@ -24,7 +24,7 @@ func ContainsVariablesOtherThanObject(policy kyverno.ClusterPolicy) error { return fmt.Errorf("invalid variable used at path: spec/rules[%d]/exclude/%s", idx, path) } - filterVars := []string{"request.object", "request.namespace"} + filterVars := []string{"request.object", "request.namespace", "images"} ctx := context.NewContext(filterVars...) for _, contextEntry := range rule.Context { From e9c2d899c949b99d3d9d73b7ac34f111381e2156 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 28 Apr 2021 14:52:26 -0700 Subject: [PATCH 2/2] fix the unit test Signed-off-by: Shuting Zhao --- pkg/policy/background_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/policy/background_test.go b/pkg/policy/background_test.go index a0d9e136ad69..32a1dda10095 100644 --- a/pkg/policy/background_test.go +++ b/pkg/policy/background_test.go @@ -133,5 +133,5 @@ func Test_Validation_invalid_backgroundPolicy(t *testing.T) { err := json.Unmarshal(rawPolicy, &policy) assert.NilError(t, err) err = ContainsVariablesOtherThanObject(policy) - assert.Assert(t, strings.Contains(err.Error(), "variable serviceAccountName cannot be used, allowed variables: [request.object request.namespace mycm]")) + assert.Assert(t, strings.Contains(err.Error(), "variable serviceAccountName cannot be used, allowed variables: [request.object request.namespace images mycm]")) }