Support operators (>=, <, etc ...) on list values

[kacejot]

Signed-off-by: Max Goncharenko kacejot@fex.net

Related issue

Closes #1826

What type of PR is this

/kind feature

Proposed Changes

Added new handling logic to the validation handler. Now if we validate array we also checking, if there string in the pattern to apply the operator, if it present.

Proof Manifests

I had no manifests, I checked the logic through the tests.

Checklist

• I have read the contributing guidelines.
• I have added tests that prove my fix is effective or that my feature works.
• [] My PR contains new or altered behavior to Kyverno and
  • [] I have added or changed the documentation myself in an existing PR and the link is:
  • [] I have raised an issue in kyverno/website to track the doc update and the link is:
  • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

[realshuting]

@kacejot - lgtm, can you please add "working proof" and document what operators are supported?

[kacejot]

@realshuting, sure. Here is a proof.
Policy:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-resource-command
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: check-resource-command
    exclude:
      resources:
        namespaces:
        - kube-system
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "The resource should not contain '-c' commands"
      anyPattern:
      - spec:
          containers:
            - =(command): ["!-c"]

Resource:

apiVersion: batch/v1
kind: Job
metadata:
  name: hello
spec:
  template:
    spec:
      containers:
      - name: hello
        image: busybox
        command: ['sh', '-c', 'echo "Hello, Kubernetes!" && sleep 3600']
      restartPolicy: OnFailure

Result:

Error from server: error when creating "resource.yaml": admission webhook "validate.kyverno.svc" denied the request: 

resource Job/default/hello was blocked due to the following policies

check-resource-command:
  autogen-check-resource-command: 'validation error: The resource should not contain ''-c'' commands. Rule autogen-check-resource-command[0] failed at path /spec/template/spec/containers/0/command/.'

[kacejot]

Now lists could be validated with all the operators from standard literal validation.
All the operator are described here:

kyverno/pkg/engine/operator/operator.go

Lines 4 to 19 in 64f49ca

	type Operator string
	const (
	// Equal stands for ==
	Equal Operator = ""
	// MoreEqual stands for >=
	MoreEqual Operator = ">="
	// LessEqual stands for <=
	LessEqual Operator = "<="
	// NotEqual stands for !
	NotEqual Operator = "!"
	// More stands for >
	More Operator = ">"
	// Less stands for <
	Less Operator = "<"
	)