Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolving variables from the resource passed | CLI #2180

Merged
merged 9 commits into from
Jul 23, 2021
Merged

Resolving variables from the resource passed | CLI #2180

merged 9 commits into from
Jul 23, 2021

Conversation

NoSkillGirl
Copy link
Contributor

@NoSkillGirl NoSkillGirl commented Jul 21, 2021
edited

Signed-off-by: NoSkillGirl singhpooja240393@gmail.com

Related issue

closes #1996
closes #1870

What type of PR is this

/kind bug
/kind feature

Proposed Changes

  • added resource in the context to get request.object.* variables
  • added check for the variable - user should pass variable other than request.object.* variables
  • supporting list variable in cli

Proof Manifests

Example 1:
Apply following policy :

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mutate-ingress-host
spec:
  rules:
  - name: mutate-rules-host
    match:
      resources:
        kinds:
        - Ingress
    preconditions:
      - key: "{{request.object.spec.rules[0].host}}"
        operator: NotEquals
        value: "*.mycompany.com"
    mutate:
      patchesJson6902: |-
        - op: replace
          path: /spec/rules/0/host
          value: some.mycompany.com
  - name: mutate-tls-hosts
    match:
      resources:
        kinds:
        - Ingress
    preconditions:
      - key: "{{request.object.spec.tls[0].hosts[0]}}"
        operator: NotEquals
        value: "*.mycompany.com"
    mutate:
      patchStrategicMerge:
        spec:
          tls:
          - hosts:
            - "some.mycompany.com"

on following resource:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kuard
  labels:
    app: kuard
spec:
  rules:
  - host: kuard
    http:
      paths:
      - backend:
          service: 
            name: kuard
            port: 
              number: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
     - kuard

Command:

kyverno apply policy.yaml -r resource.yaml

Result:

applying 1 policy to 1 resource... 

mutate policy mutate-ingress-host applied to default/Ingress/kuard:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: kuard
  name: kuard
  namespace: default
spec:
  rules:
  - host: some.mycompany.com
    http:
      paths:
      - backend:
          service:
            name: kuard
            port:
              number: 8080
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - some.mycompany.com

---

pass: 1, fail: 0, warn: 0, error: 0, skip: 0

Example 2:
Apply following policy :

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: set-service-labels-env
spec:
  background: false
  rules:
  - name: set-service-env
    match:
      resources:
        kinds:
        - Deployment
        - DeploymentConfig
        - DaemonSet
        - StatefulSet
    exclude:
      resources:
        namespaces:
          - "kube*"
          - "openshift*"
          - "kube-*"
          - "openshift-*"
    preconditions:
      all:
        - key: "{{ request.operation }}"
          operator: Equals
          value: "CREATE"
        - key: "SERVICE"
          operator: NotIn
          value: "{{ request.object.spec.template.spec.containers[].env[].name }}"
    mutate:
      patchesJson6902: |-
       - op: add
         path: /spec/template/spec/containers/0/env/-1
         value: {"name": "SERVICE","value": "something" }

on following resource:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-dep2
  namespace: default
  labels:
    app: hello-openshift
spec:
  selector:
    matchLabels:
      app: hello-openshift
  replicas: 1
  template:
    metadata:
      labels:
        app: hello-openshift
        foo: bar
    spec:
      containers:
        - name: hello-openshift
          image: openshift/hello-openshift
          ports:
          - containerPort: 8080
          env:
          - name: test
            value: some-value

Command:

kyverno apply policy.yaml -r resource.yaml -s request.operation=CREATE

Result:

applying 1 policy to 1 resource... 

mutate policy set-service-labels-env applied to default/Deployment/my-dep2:
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: hello-openshift
  name: my-dep2
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
        foo: bar
    spec:
      containers:
      - env:
        - name: test
          value: some-value
        - name: SERVICE
          value: something
        image: openshift/hello-openshift
        name: hello-openshift
        ports:
        - containerPort: 8080

---

pass: 1, fail: 0, warn: 0, error: 0, skip: 0

Checklist

Further Comments

@NoSkillGirl NoSkillGirl added wip work in progress doc required labels Jul 21, 2021
@NoSkillGirl NoSkillGirl added this to the Kyverno Release 1.4.2 milestone Jul 21, 2021
@NoSkillGirl
added logic for adding resources in context
9bf306b 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl
small fix
f755911 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl
returning error if request.object is passed from cmd
9787e9a 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl
reterning error if request.object is passed from value file
b47cfb1 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl
removing comments
7fd39cd 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl NoSkillGirl force-pushed the feature/1996_set_variable_from_resource branch from b028b2f to 7fd39cd Compare July 22, 2021 18:50
@NoSkillGirl
small fix
9124187 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl
handling context for delete operation
3122061 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl NoSkillGirl mentioned this pull request Jul 23, 2021
Closed
@NoSkillGirl NoSkillGirl changed the title Resolving variables from the resource passed | CLI Resolving variables from the resource passed | apply command | CLI Jul 23, 2021
@NoSkillGirl NoSkillGirl mentioned this pull request Jul 23, 2021
Closed
@NoSkillGirl NoSkillGirl removed the wip work in progress label Jul 23, 2021
@NoSkillGirl
Merge branch 'main' of github.com:kyverno/kyverno into feature/1996_s…
8f17e33 
…et_variable_from_resource
@NoSkillGirl
small fix for test command
aa673dc 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl NoSkillGirl changed the title Resolving variables from the resource passed | apply command | CLI Resolving variables from the resource passed | CLI Jul 23, 2021
@vyankyGH
Copy link
Contributor

I have tested it. Looks Good for me

@realshuting realshuting self-assigned this Jul 23, 2021
@realshuting realshuting removed this from the Kyverno Release 1.4.2 milestone Jul 23, 2021
@realshuting realshuting merged commit 88d1617 into kyverno:main Jul 23, 2021
@treydock treydock mentioned this pull request Jul 27, 2021
Closed
@NoSkillGirl NoSkillGirl mentioned this pull request Aug 1, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

@vyankyGH vyankyGH Awaiting requested review from vyankyGH

@JimBugwadia JimBugwadia Awaiting requested review from JimBugwadia

Assignees

@realshuting realshuting

Labels
doc required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CLI variables should be coming from the resources itself [BUG] List variables cannot be handled in CLI
4 participants
@NoSkillGirl @vyankyGH @realshuting @JimBugwadia