-
Notifications
You must be signed in to change notification settings - Fork 780
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement global anchor #2311
Implement global anchor #2311
Conversation
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
How would or does this work with other anchors in a policy? I assume there can't be two global anchors, correct? It would be good to better understand this change and what impact it may have to both existing policies in the docs/policies page and for users. |
I'd really like to see this presented at a contributors/community meeting so as to ask some live Q&A without having to go back and forth over GitHub and take two weeks. |
@chipzoller, unfortunately I can't participate today. The reason is that I need some time to prepare manifests and test them. We could have a call tomorrow. |
Hi @kacejot - got a few questions regarding the proof manifests:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: 1nginx
ports:
- name: web
containerPort: 80
protocol: TCP
volumeMounts:
- mountPath: /cache
name: cache-volume
volumes:
- emptyDir: {}
name: cache-volume
|
@realshuting, in your case global condition fails and policy application is skipped. |
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
This reverts commit 08e176a. Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
Signed-off-by: Maxim Goncharenko <goncharenko.maxim@apriorit.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kacejot - the mutate policy works as expected now.
Having a question about validate:
Testing a validate policy, I would expect the pod creation to be blocked while it didn't:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
imagePullSecrets:
- name: my-registry-secret
apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
imagePullSecrets:
- name: other-registry
✗ k apply -f pod.yaml
pod/static-web created
"imagePullSecrets": [ | ||
{ | ||
"name": "regcred" | ||
} | ||
] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't the conditional anchor works only on its child tags? Why the imagePullSecrets
is added to the Pod? Same for the next unit test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because imagePullSecrets
is not a child tag for image
.
image
condition applies only to its list element, but not the elements from the other list.
@realshuting, OK, I will take a look on Monday. |
I re-tested several times, I have global anchor logic working here. Here are my manifests: Resource: apiVersion: v1
kind: Pod
metadata:
name: static-web
labels:
role: myrole
spec:
containers:
- name: web
image: nginx
ports:
- name: web
containerPort: 80
protocol: TCP
imagePullSecrets:
- name: other-registry Resource is blocked: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx"
imagePullSecrets:
- name: my-registry-secret Resource is validated: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sample
spec:
validationFailureAction: enforce
rules:
- name: check-container-image
match:
resources:
kinds:
- Pod
validate:
pattern:
spec:
containers:
- name: "*"
<(image): "nginx1"
imagePullSecrets:
- name: my-registry-secret In last policy global anchor condition fails and the policy application is skipped. P.S. I see there some merge conflict appeared. I'm going to resolve them immediately. |
Signed-off-by: Max Goncharenko <kacejot@fex.net>
Here is the output for the first case where the resource should be blocked: umka@polarbear ~/Workspace/kyverno/global-anchor-validation [16:38:03]
> $ kubectl create -f ./resource.yaml
Error from server: error when creating "./resource.yaml": admission webhook "validate.kyverno.svc" denied the request:
resource Pod/default/static-web was blocked due to the following policies
sample:
check-container-image: 'validation error: rule check-container-image failed at path
/spec/imagePullSecrets/0/name/' umka@polarbear ~/go/src/github.com/kyverno/kyverno [18:02:32]
> $ git status [±global-anchor ✓]
On branch global-anchor
Your branch is up to date with 'kacejot/global-anchor'.
nothing to commit, working tree clean |
Related issue
closes #2201
Milestone of this PR
/kind feature
Proposed Changes
Added global anchor logic for both validation and strategic merge patch.
Changed e2e tests and updated
add-safe-to-evict
policy with global anchor.Global anchor is a key wrapped with
<(
and)
symbols. For example<(image)
.When global anchor condition fails, entire policy application is skipped.
Proof Manifests
Resource:
Validation:
Strategic merge patch:
^ Here is the updated policy variant
Checklist
[Docs] Add global anchor documentation website#271