You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
When writing a policy which validates operations from AdmissionReview data, Kyverno does not validate that the provided operations are valid. This results in the possibility of writing a policy which doesn't work as intended.
For example, when writing a deny statement which looks at {{ request.operation }}, a user could put FOO as an operation yet there is no Kubernetes operation called FOO.
Describe the solution you'd like
Perform policy schema validations of the list of operations, which are any of CREATE, UPDATE, DELETE, or CONNECT. Ensure the spelling of each is precise. Fail policy creation if any strings are not among these values.
@chipzoller@realshuting I have added the required validation for preconditions field as well, whenever it faces a condition with key: {{request.operation}}
Is your feature request related to a problem? Please describe.
When writing a policy which validates operations from AdmissionReview data, Kyverno does not validate that the provided operations are valid. This results in the possibility of writing a policy which doesn't work as intended.
For example, when writing a
denystatement which looks at{{ request.operation }}, a user could putFOOas an operation yet there is no Kubernetes operation calledFOO.Describe the solution you'd like
Perform policy schema validations of the list of operations, which are any of
CREATE,UPDATE,DELETE, orCONNECT. Ensure the spelling of each is precise. Fail policy creation if any strings are not among these values.Additional context
A follow-on idea from #1337
The text was updated successfully, but these errors were encountered: