Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add resourceNames field in the generated VAPs #10187

Merged
merged 3 commits into from
May 7, 2024

Conversation

MariamFahmy98
Copy link
Collaborator

@MariamFahmy98 MariamFahmy98 commented May 6, 2024

Explanation

This PR adds resourceNames field in the generated VAP in case Kyverno policy matches resources by names. Also, VAPs don't support wildcards in resource names so we skip generating them in case one of the resource names has a wildcard.

Related issue

Closes #10186

Milestone of this PR

/milestone 1.12.2

Documentation (required for features)

My PR contains new or altered behavior to Kyverno.

What type of PR is this

/kind bug

Proposed Changes

Proof Manifests

Resource Names without wildcards

  1. Create the following policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-label-app-4
spec:
  validationFailureAction: Audit
  rules:
    - name: check-label-app
      match:
        any:
        - resources:
            kinds:
            - Pod
            - Deployment
            names: 
            - "staging"
      validate:
        cel:
          expressions:
            - expression: "'app' in object.metadata.labels"
  1. Check that the corresponding VAP is generated:
apiVersion: admissionregistration.k8s.io/v1alpha1
kind: ValidatingAdmissionPolicy
metadata:
  labels:
    app.kubernetes.io/managed-by: kyverno
  name: check-label-app-4
  ownerReferences:
  - apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    name: check-label-app-4
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:
      - ""
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resourceNames:
      - staging
      resources:
      - pods
      - pods/ephemeralcontainers
    - apiGroups:
      - apps
      apiVersions:
      - v1
      operations:
      - CREATE
      - UPDATE
      resourceNames:
      - staging
      resources:
      - deployments
  validations:
  - expression: "'app' in object.metadata.labels"

Resource names with wildcards

  1. Create the following policy:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-label-app-3
spec:
  validationFailureAction: Audit
  rules:
    - name: check-label-app
      match:
        any:
        - resources:
            kinds:
            - Pod
            names: 
            - "prod-*"
            - "staging"
      validate:
        cel:
          expressions:
            - expression: "'app' in object.metadata.labels"
  1. Check the status:
status:
  validatingadmissionpolicy:
    generated: false
    message: ""
  1. Check that there are no generated VAPs:
$ kubectl get validatingadmissionpolicy
No resources found

$ kubectl get validatingadmissionpolicybindings                                                               
No resources found

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR.
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .
  • My PR contains new or altered behavior to Kyverno and
    • CLI support should be added and my PR doesn't contain that functionality.

Further Comments

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Copy link

codecov bot commented May 6, 2024

Codecov Report

Attention: Patch coverage is 21.73913% with 18 lines in your changes are missing coverage. Please review.

Project coverage is 10.15%. Comparing base (4bbb57a) to head (7007dd7).

Files Patch % Lines
...validatingadmissionpolicy/kyvernopolicy_checker.go 33.33% 8 Missing and 2 partials ⚠️
pkg/validatingadmissionpolicy/builder.go 0.00% 8 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #10187      +/-   ##
==========================================
- Coverage   10.15%   10.15%   -0.01%     
==========================================
  Files        1030     1030              
  Lines       91785    91796      +11     
==========================================
  Hits         9319     9319              
- Misses      81448    81457       +9     
- Partials     1018     1020       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@MariamFahmy98 MariamFahmy98 merged commit 3fa6a8d into kyverno:main May 7, 2024
249 of 250 checks passed
@MariamFahmy98 MariamFahmy98 deleted the fix-10186 branch May 7, 2024 13:06
@realshuting
Copy link
Member

Please make sure PRs are cherry-picked to patch versions.

@MariamFahmy98
Copy link
Collaborator Author

/cherry-pick release-1.12

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request May 20, 2024
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
@realshuting realshuting added cherry-pick-completed The PR was cherry-picked (or merged) to required release branches milestone 1.13.0 labels May 20, 2024
MariamFahmy98 added a commit that referenced this pull request May 20, 2024
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
anushkamittal2001 pushed a commit to nirmata/kyverno that referenced this pull request May 24, 2024
…yverno#10265)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cherry-pick-completed The PR was cherry-picked (or merged) to required release branches cherry-pick-required milestone 1.12.2 milestone 1.13.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug] The generated ValidatingAdmissionPolicy is missing the resourceNames field
3 participants