Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix : Make match.resources.kinds required #1852

Merged
merged 6 commits into from Apr 29, 2021
Merged

Bugfix : Make match.resources.kinds required #1852

merged 6 commits into from Apr 29, 2021

Conversation

vyankyGH
Copy link
Contributor

Related issue

closes #1734

What type of PR is this

Validate matchResorce kind object in cluster policy.

/kind feature

Proposed Changes

After this PR
IF Someone not added match resource kind policy will not get apply.

Proof Manifests

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata: 
  name: disallow-bind-mounts
spec: 
  validationFailureAction: enforce
  rules: 
  - name: validate-hostPath
    match: 
      resources: 
        kinds: 
    validate: 
      message: "Host path volumes are not allowed"
      pattern: 
        spec: 
          =(volumes): 
          - X(hostPath): "null"

When the above policy will be applied, the following error will be generated:

The ClusterPolicy "disallow-bind-mounts" is invalid: spec.rules.match.resources.kinds: Invalid value: "null": spec.rules.match.resources.kinds

apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: policy-to-monitor-root-user-access
spec:
  validationFailureAction: audit
  rules:
  - name: monitor-annotation-for-root-user-access
    match:
      resources:
        selector:
            matchLabels:
                AllowRootUserAccess: "true"      
    validate:
      message: "Label provisioner.wg.net/cloudprovider is required"
      pattern:
        metadata:
          labels:
            provisioner.wg.net/cloudprovider: "*"
Error from server: error when creating ".\\policy.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: At least one element must be specified in a kind block. The kind attribute is mandatory when working with the resources element

Checklist

Further Comments

@vyankyGH vyankyGH self-assigned this Apr 29, 2021
@vyankyGH vyankyGH assigned realshuting and unassigned vyankyGH Apr 29, 2021
@realshuting realshuting merged commit 34af7a9 into kyverno:main Apr 29, 2021
@vyankyGH vyankyGH deleted the kind_required branch February 18, 2022 10:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Should match.resources.kinds be required?
3 participants
@vyankyGH @realshuting @vyankd