feat(operators): support subset checking for in and notin

[RinkiyaKeDad]

Signed-off-by: Arsh Sharma arshsharma461@gmail.com

Related issue

Fixes #1367

What type of PR is this?

/kind feature

Proposed changes

Added checking if a set of strings is in an allowed list of strings when using In and NotIn operators

Checklist

• I have read the contributing guidelines.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further comments

I wrote the setExistsInArray function based on keyExistsInArray function already present. I had a doubt here, if we have a return statement in default case wouldn't this mean that the return statement outside the switch block will never get executed?
Shouldn't we simply just have this is the default case:

default:
	return true, false

I'm a bit new to Golang so sorry if this is something obvious 😅 Thanks!

[realshuting]

I'm curious how would this be declared in the policy?

[RinkiyaKeDad]

Using the example @JimBugwadia gave in the issue we could have something like:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-external-ips
spec:
  validationFailureAction: audit
  rules:
  - name: check-ips
    match:
      resources:
        kinds:
        - Service
    validate:
      message: "externalIPs are not allowed"
      deny:
        key: {{ request.object.spec.externalIPs }}
        operator: NotIn
        value: "1.1.1.1"

Where the keys are a set of strings and the value is just a string. Another case would be when the value is a string representing JSON like in the keyExistsInArray function. Though I'm not sure how that works.

[realshuting]

I guess you can define the array in JSON format "['a', 'b']" then it is parsed to JSON string array.

[realshuting]

Seems that checkSubset returns true if all keys are found in the value, while for NotIn in this use case, it expects "any of the three matches; not all three together".

We should define the expected behavior for set operations of In/NotIn.

cc @chipzoller @JimBugwadia

[JimBugwadia]

Given 2 sets, S1 and S2:

• S1 In S2: means all values of S1 are in S2
• S1 NotIn S2: means none of the values of S1 are in S2

[RinkiyaKeDad]

Will write two separate functions for In and NotIn based on this definition then.

[realshuting]

I had a doubt here, if we have a return statement in default case wouldn't this mean that the return statement outside the switch block will never get executed?

@RinkiyaKeDad Yes you are right, the return statement outside of the switch block will never get executed. But the function has return values declared, removing the last return would result in a compile error missing return at end of function".

[RinkiyaKeDad]

@RinkiyaKeDad Yes you are right, the return statement outside of the switch block will never get executed. But the function has return values declared, removing the last return would result in a compile error missing return at end of function".

Thanks for clearing that @realshuting. I didn't include a return statement outside of the switch block in the function I wrote because I got a warning in my editor saying unreachable code.

I should ignore that and add a return statement regardless, right?

Also shouldn't these two lines of code be replaced with:

return true, false

[realshuting]

Looks good.

[realshuting]

I guess you can define the array in JSON format "['a', 'b']" then it is parsed to JSON string array.

[realshuting]

Yes you are right, the return statement outside of the switch block will never get executed.

I take it back since I realized that in cases []interface{} and string we do not return if conditions aren't matched. So we need the last return statement.