Implement global anchor #2311
Implement global anchor #2311
Conversation
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
|
How would or does this work with other anchors in a policy? I assume there can't be two global anchors, correct? It would be good to better understand this change and what impact it may have to both existing policies in the docs/policies page and for users. |
|
I'd really like to see this presented at a contributors/community meeting so as to ask some live Q&A without having to go back and forth over GitHub and take two weeks. |
|
@chipzoller, unfortunately I can't participate today. The reason is that I need some time to prepare manifests and test them. We could have a call tomorrow. |
|
Hi @kacejot - got a few questions regarding the proof manifests:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: 1nginx
ports:
- name: web
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- emptyDir: {}
name: cache-volume
|
|
@realshuting, in your case global condition fails and policy application is skipped. |
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
This reverts commit 08e176a. Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
There was a problem hiding this comment.
@kacejot - the mutate policy works as expected now.
Having a question about validate:
Testing a validate policy, I would expect the pod creation to be blocked while it didn't:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
imagePullSecrets:
- name: my-registry-secretapiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
imagePullSecrets:
- name: other-registry✗ k apply -f pod.yaml
pod/static-web created
| "imagePullSecrets": [ | ||
| { | ||
| "name": "regcred" | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
Isn't the conditional anchor works only on its child tags? Why the imagePullSecrets is added to the Pod? Same for the next unit test.
There was a problem hiding this comment.
Because imagePullSecrets is not a child tag for image.
image condition applies only to its list element, but not the elements from the other list.
|
@realshuting, OK, I will take a look on Monday. |
|
I re-tested several times, I have global anchor logic working here. Here are my manifests: Resource: apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
imagePullSecrets:
- name: other-registryResource is blocked: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
imagePullSecrets:
- name: my-registry-secretResource is validated: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx1"
imagePullSecrets:
- name: my-registry-secretIn last policy global anchor condition fails and the policy application is skipped. P.S. I see there some merge conflict appeared. I'm going to resolve them immediately. |
Signed-off-by: Max Goncharenko <kacejot@fex.net>
|
Here is the output for the first case where the resource should be blocked: umka@polarbear ~/Workspace/kyverno/global-anchor-validation [16:38:03]
> $ kubectl create -f ./resource.yaml
Error from server: error when creating "./resource.yaml": admission webhook "validate.kyverno.svc" denied the request:
resource Pod/default/static-web was blocked due to the following policies
sample:
check-container-image: 'validation error: rule check-container-image failed at path
/spec/imagePullSecrets/0/name/' umka@polarbear ~/go/src/github.com/kyverno/kyverno [18:02:32]
> $ git status [±global-anchor ✓]
On branch global-anchor
Your branch is up to date with 'kacejot/global-anchor'.
nothing to commit, working tree clean |
Related issue
closes #2201
Milestone of this PR
/kind feature
Proposed Changes
Added global anchor logic for both validation and strategic merge patch.
Changed e2e tests and updated
add-safe-to-evictpolicy with global anchor.Global anchor is a key wrapped with
<(and)symbols. For example<(image).When global anchor condition fails, entire policy application is skipped.
Proof Manifests
Resource:
Validation:
Strategic merge patch:
^ Here is the updated policy variant
Checklist
[Docs] Add global anchor documentation website#271