add new test; remove unnecessary anchors #2217
Conversation
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Do we need to update doc accordingly? |
|
@realshuting, if we have such policy in the doc, then sure |
|
@kacejot - can you please attach proof results with / without |
|
Does this policy also work if the resource does not have initContainers defined at all? That was one of the issues to begin with. |
|
@kacejot - any update? |
|
Ping @kacejot. |
|
Hi @realshuting, sure. I plan to look it just after flux issue. |
|
Switched to this task |
|
@realshuting @chipzoller 1policy: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: set-runasnonroot-true
spec:
rules:
- name: set-runasnonroot-true
match:
resources:
kinds:
- Pod
mutate:
patchStrategicMerge:
spec:
securityContext:
runAsNonRoot: true
initContainers:
- (name): "*"
securityContext:
runAsNonRoot: true
containers:
- (name): "*"
securityContext:
runAsNonRoot: trueresource: apiVersion: apps/v1
kind: Deployment
metadata:
name: foo
labels:
app: foo
spec:
replicas: 1
selector:
matchLabels:
app: foo
template:
metadata:
labels:
app: foo
spec:
# initContainers:
# - name: initbusy
# image: busybox:1.28
# command: ["sleep", "9999"]
containers:
- image: busybox:1.28
name: busybox
command: ["sleep", "9999"]
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- foo
- bar
topologyKey: kubernetes.io/hostnameresult: apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-08-26T11:15:13Z"
generateName: foo-57c4999cd6-
labels:
app: foo
pod-template-hash: 57c4999cd6
name: foo-57c4999cd6-rpdsd
namespace: default
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: foo-57c4999cd6
uid: 57c5ce19-e839-4fdc-b0a6-a9f4f3511576
resourceVersion: "2824"
uid: b25ada91-9fce-4d2f-bd24-76d55255650c
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- foo
- bar
topologyKey: kubernetes.io/hostname
containers:
- command:
- sleep
- "9999"
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: busybox
resources: {}
securityContext:
runAsNonRoot: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-kb2wm
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
nodeName: minikube
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: default
serviceAccountName: default
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: default-token-kb2wm
secret:
defaultMode: 420
secretName: default-token-kb2wmAs you can see, both 2same policy apiVersion: apps/v1
kind: Deployment
metadata:
name: foo
labels:
app: foo
spec:
replicas: 1
selector:
matchLabels:
app: foo
template:
metadata:
labels:
app: foo
spec:
initContainers:
- name: initbusy
image: busybox:1.28
command: ["sleep", "9999"]
containers:
- image: busybox:1.28
name: busybox
command: ["sleep", "9999"]
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- foo
- bar
topologyKey: kubernetes.io/hostnameresult: ...
containers:
- command:
- sleep
- "9999"
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: busybox
resources: {}
securityContext:
runAsNonRoot: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-kb2wm
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
initContainers:
- command:
- sleep
- "9999"
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: initbusy
resources: {}
securityContext:
runAsNonRoot: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: default-token-kb2wm
readOnly: true
nodeName: minikube
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
runAsNonRoot: true
serviceAccount: default
...Here we also have all mutations applied. |
|
Ok, Max, looks good. So this clearly looks like user error on my part, but when you say
what does that mean? Where in the original policy in #1916 were there "nested anchors"? I think my confusion came from the fact that in a And how can we turn these learnings into documentation? Maybe just use this as an example? |
|
@chipzoller, for now conditions in mutate and validate work the same way. We do not support nested anchors, because it is written so in the doc: https://kyverno.io/docs/writing-policies/mutate/#conditional-anchor (the last sentence from the chapter). Nested anchors are present in #1916 description: spec:
securityContext:
runAsNonRoot: true
# (initContainers):
# - (name): "*"
# securityContext:
# runAsNonRoot: trueAs you can see
Why there should be any fail? For example we have: spec:
securityContext:
runAsNonRoot: true
initContainers:
- (name): "*"
securityContext:
runAsNonRoot: trueYou can read this as "For any initContainers element that has any name, set |
|
There wouldn't be a failure in a mutation policy, but there would in a validate policy. spec:
securityContext:
runAsNonRoot: true
initContainers:
- (name): "*"
securityContext:
runAsNonRoot: trueIf the |
|
I think we could support nested anchors. In this case we would read this: spec:
securityContext:
runAsNonRoot: true
(initContainers):
- (name): "*"
securityContext:
runAsNonRoot: trueas: The pattern from the algorithm: securityContext:
runAsNonRoot: trueWe have validation with the pattern here, because all the part: - (name): "*"
securityContext:
runAsNonRoot: trueis a value of |
|
@chipzoller, I see. So condition anchor still has different functionality in mutation and validation. |
|
I looked at the code and maybe it is already works as I described here: |
If that's so, wouldn't this whole thing be a non-issue then? |
|
I think yes, but we need to check first. |
There was a problem hiding this comment.
Can we add both test cases (as you attached in this comment)?
I think I'm lost here, is the conditional anchor works the same in mutate and validate rules? |
|
@realshuting, yes, they work the same. The only difference is if we have next pattern: validate:
parent:
(condition): ''123*"Then validation will fail if we don't have In mutation the same policy: strategicMergePatch:
parent:
(condition):"123*"It will not add the parent, if condition failed. |
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko goncharenko.maxim@apriorit.com
Related issue
Closes #1916
What type of PR is this
/kind cleanup
Proposed Changes
There was no issue, we just needed to modify policy to work correct.
Added logic that removes unnecessary conditional anchors from lists.
Added test that covers #1916 case.
Note that I removed unnecessary conditional anchor from #1916 reference manifest. It breaks the policy. We don't support nested anchors.
Proof Manifests
Here is corrected policy:
Resource:
Checklist