New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Evaluate userInfo with match & exclude filters #644
Comments
The intention is that the UserInfo and other elements of the Match / Exclude are processed as a logical AND. |
This relates to: https://github.com/nirmata/kyverno/issues/634 |
What needs to be done is clear, however why it needs to be done is unclear @shivdudhani @JimBugwadia |
Since i am unclear on why these changes are required, i would like these changes to be reviewed before i test them .etc. https://github.com/nirmata/kyverno/pull/662 |
@shravanshetty1 As long as For PR #662, I'm not sure if we want to move match/exclude filters out of the engine. The intent for the engine is to take any policy and the resource context(including userInfo and such), then apply the policy to the resource. The engine is also used in CLI, if we move that logic out of the engine, we'll have to add the filter checks in the CLI as well, before we pass to the engine. |
@realshuting I updated the PR with new understanding of the issue, kindly check |
#644 - Policy Rule Exclude conditions should be processed as a logical AND instead of a logical OR
As userInfo is defined under
match
andexclude
it makes sense to evaluate all the conditions together.Currently, they are independent checks
https://github.com/nirmata/kyverno/blob/4d2bea3c0de47d9c57d2c0b729e71f2ad16df8ca/pkg/engine/mutation.go#L57-L67
Needs to be updated for 'Mutation
, 'Validation
& 'Generation`. The conditions need to be evaluated together.The text was updated successfully, but these errors were encountered: