feat: added validation check for ensuring the existence of only 'any'/'all' #1791
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue
closes #1765
What type of PR is this
Proposed changes
After this PR
If someone declares
preconditions
orvalidate.deny.conditions
containingany
/all
, they won't be able to specify any other sub-field apart fromany
/all
.For example, the following policy:
When the above policy will be applied, the following error will be generated:
Before this PR
If someone specified an ambiguous sub-field like
foo
underpreconditions
orvalidate.deny.conditions
, kyverno wouldn't raise an error like above.For example, the following policy:
On applying the above policy, kyverno wouldn't raise any error. And behind the scenes, whenever the above policy's rule will evaluate an admission request, it would simplpy ignore the conditions specified under ambiguous sub-fields like
foo
but that's not ideal because user might be under the wrong assumption that that condition specified underfoo
would still be evaluating the incoming admission requests and working fine, (this might occur if the user, while writing a policy, unknowingly wrote a type likeanyz
orallz
)Checklist
Further comments