Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make validateAPICall work with special characters in variables #1724

Merged
merged 2 commits into from Mar 25, 2021
Merged

Make validateAPICall work with special characters in variables #1724

merged 2 commits into from Mar 25, 2021

Conversation

MarcelMue
Copy link
Collaborator

@MarcelMue MarcelMue commented Mar 19, 2021
edited

Related issue

None - I went straight for the PR for now.

What type of PR is this

/kind bug

Proposed changes

This fixes an issue where validateAPICall fails if a variable contains / and therefore exceeds the limit of 7 parts in the path.

Example of such a circumstance (falsely failing validation):

apiCall:
        urlPath: "/apis/cluster.x-k8s.io/v1alpha3/namespaces/{{ request.object.metadata.namespace }}/clusters/{{ request.object.metadata.labels.\"cluster.x-k8s.io/cluster-name\" }}"

The solution I went for, is to replace all variables with a simple string during validation.

Checklist

Further comments

I am not sure how valuable this validation is at all. It is easy to construct cases where a variable might be templated into a string containing one or multiple / during execution of a ClusterPolicy.

The benefit of this change is that values from labels and annotations are treated correctly for now at least.

I am open to add unit tests if reviewers think it's sensible.

@MarcelMue
Make validateAPICall work with special characters in variables
4f96232 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
@realshuting realshuting self-assigned this Mar 19, 2021
realshuting
realshuting reviewed Mar 22, 2021
View reviewed changes
pkg/policy/validate.go Outdated
@@ -681,7 +682,10 @@ func validateAPICall(entry kyverno.ContextEntry) error {
return fmt.Errorf("both configMap and apiCall are not allowed in a context entry")
}

if _, err := engine.NewAPIPath(entry.APICall.URLPath); err != nil {
// Replace all variables to prevent validation failing on variable keys.
urlPath := variables.ReplaceAllVars(entry.APICall.URLPath, func(s string) string { return "variable" })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarcelMue - thanks for submitting the fix!

Can we keep the same logic but change variable to a more unique name? "kyvernoapicallvariable" maybe?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 👍

@MarcelMue
Rename variable to kyvernoapicallvariable
c10a994 
Signed-off-by: Marcel Mueller <marcel.mueller1@rwth-aachen.de>
@JimBugwadia JimBugwadia merged commit 4d70013 into kyverno:main Mar 25, 2021
@MarcelMue MarcelMue deleted the fix-apipath-validation branch October 26, 2021 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting left review comments

@JimBugwadia JimBugwadia JimBugwadia approved these changes

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MarcelMue @JimBugwadia @realshuting