Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation for generate loops and support ClusterPolicy/Policy in match block #2275

Merged
merged 3 commits into from
Aug 20, 2021
Merged

Validation for generate loops and support ClusterPolicy/Policy in match block #2275

merged 3 commits into from
Aug 20, 2021

Conversation

vyankyGH
Copy link
Contributor

@vyankyGH vyankyGH commented Aug 18, 2021
edited

Signed-off-by: Vyankatesh vyankateshkd@gmail.com

Related issue

closes #2149
closes #1941

Milestone of this PR

/milestone 1.5.0

Proposed Changes

Proof Manifests

Policy with same generate kind get block while installation

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
  annotations:
    policies.kyverno.io/title: Add Network Policy
    policies.kyverno.io/category: Multi-Tenancy
    policies.kyverno.io/subject: NetworkPolicy
    policies.kyverno.io/description: >-
      By default, Kubernetes allows communications across all Pods within a cluster. 
      The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict 
      communications. A default NetworkPolicy should be configured for each Namespace to 
      default deny all ingress and egress traffic to the Pods in the Namespace. Application 
      teams can then configure additional NetworkPolicy resources to allow desired traffic 
      to application Pods from select sources. This policy will create a new NetworkPolicy resource
      named `default-deny` which will deny all traffic anytime a new Namespace is created.      
spec:
  validationFailureAction: audit
  rules:
  - name: default-deny
    match:
      resources: 
        kinds:
        - NetworkPolicy
    generate:
      kind: NetworkPolicy
      name: default-deny
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          # deny all traffic
          policyTypes: 
          - Ingress
          - Egress
Error from server: error when creating ".\\Yamls\\policy-label.yaml": admission webhook "validate-policy.kyverno.svc" denied the request: generation kind and match resource kind should not be the same.

Checklist

  • I have read the contributing guidelines.
  • I have added tests that prove my fix is effective or that my feature works.
  • My PR contains new or altered behavior to Kyverno and
    • I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@vyankyGH vyankyGH added the wip work in progress label Aug 18, 2021
chipzoller
chipzoller reviewed Aug 18, 2021
View reviewed changes
pkg/policy/actions.go Outdated Show resolved Hide resolved
chipzoller
chipzoller reviewed Aug 18, 2021
View reviewed changes
pkg/policy/validate.go Outdated Show resolved Hide resolved
chipzoller
chipzoller reviewed Aug 18, 2021
View reviewed changes
pkg/policy/validate.go Outdated Show resolved Hide resolved
chipzoller
chipzoller requested changes Aug 18, 2021
View reviewed changes
Copy link
Member

@chipzoller chipzoller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR needs to be completed with descriptive info and proof manifests

@realshuting realshuting removed the wip work in progress label Aug 20, 2021
@realshuting realshuting merged commit 8c7858c into kyverno:main Aug 20, 2021
@vyankyGH vyankyGH deleted the Validate_same_kind branch September 1, 2022 13:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller requested changes

@realshuting realshuting realshuting approved these changes

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@vyankyGH @realshuting @chipzoller