Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Create/Update policy failing with custom JMESPath #2409

Closed
kumar-mallikarjuna opened this issue Sep 17, 2021 · 1 comment · Fixed by #2416
Closed

[BUG] Create/Update policy failing with custom JMESPath #2409

kumar-mallikarjuna opened this issue Sep 17, 2021 · 1 comment · Fixed by #2416
Assignees
@kumar-mallikarjuna
Labels
bug Something isn't working
Milestone
Kyverno Release 1...

Comments

@kumar-mallikarjuna
Copy link
Collaborator

kumar-mallikarjuna commented Sep 17, 2021
edited

Software version numbers
State the version numbers of applications involved in the bug.

  • Kubernetes version: 1.21.3
  • Kyverno version: v1.4.3

Describe the bug
kubectl apply -f /path/to/policy.yaml fails on introducing custom JMESPath function in engine/jmespath/functions.go (patch available here).

Error Seen

Error from server: error when creating "policy.yaml": admission webhook "validate-policy.kyverno.svc" 
denied the request: policy contains invalid variables: Rule "variablethis" has forbidden variables. 
Allowed variables are: {{request.*}}, {{serviceAccountName}}, {{serviceAccountNamespace}}, {{@}} 
and ones defined by the context

To Reproduce
Steps to reproduce the behavior:

  1. Apply the patch at https://gist.github.com/ojhaarjun1/1c7c32eb53cd0b46f0dc0922495577af
  2. Create policy.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: variablethis
spec:
  background: false
  rules:
    - name: variablethis
      match:
        resources:
          kinds:
            - Pod
      mutate:
        overlay:
          spec:
            containers:
              - (image): "*"
                resources:
                  requests:
                    memory: "{{ divide(`10`,`2`) }}Mi"
                    cpu: "250{{ to_lower('M') }}"
                  limits:
                    memory: "{{ @ }}"
                    cpu: "{{ @ }}"
  1. Run $ kubectl apply -f /path/to/policy.yaml

Expected behavior
Policy applied successfully.

Additional context

  • Sometimes the issue doesn't occur if the policy variablethis is already present in the cluster. Then deleting and reapplying, shows it.
  • The issue might be with the regex parsing of variables. I tried to check the output for line 248 and 249 in kyverno/common/common.go with the above policy:
    • matchesAll = [[{{ @ }}] [{{ @ }}] [{{ to_lower('M') }}] [{{ divide(`10`, `2`) }}]]
    • matchesAllowed = [[{{ @ }}] [{{ @ }}] [{{ to_lower('M') }}]
    • This is satisfying the conditions at line 251 and raising the error.
@kumar-mallikarjuna kumar-mallikarjuna added the bug Something isn't working label Sep 17, 2021
@welcome
Copy link

welcome bot commented Sep 17, 2021

Thanks for opening your first issue here! Be sure to follow the issue template!

@realshuting realshuting added this to the Kyverno Release 1.5.0 milestone Sep 17, 2021
@kumar-mallikarjuna kumar-mallikarjuna mentioned this issue Sep 21, 2021
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kumar-mallikarjuna kumar-mallikarjuna

Labels
bug Something isn't working
Projects
None yet
Milestone
Kyverno Release 1.5.0
Development

Successfully merging a pull request may close this issue.

JMESPath: Arithmetic Operators kumar-mallikarjuna/kyverno
2 participants
@realshuting @kumar-mallikarjuna