Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix | Support gvk in CLI for policies applied on cluster #2364

Merged
merged 1 commit into from
Sep 6, 2021
Merged

Fix | Support gvk in CLI for policies applied on cluster #2364

merged 1 commit into from
Sep 6, 2021

Conversation

NoSkillGirl
Copy link
Contributor

@NoSkillGirl NoSkillGirl commented Sep 6, 2021
edited

Signed-off-by: NoSkillGirl singhpooja240393@gmail.com

Related issue

closes #2363

Milestone of this PR

Add the milestone label by commenting /milestone 1.4.3.

What type of PR is this

/kind bug

Proposed Changes

Extracting kind from the policy kinds by string operations.

Proof Manifests

policy.yaml:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: container-image-latest
  annotations:
    policies.kyverno.io/owner: Red Hat CoP
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: Check a Deployment is not using the latest tag for their image
spec:
  validationFailureAction: enforce
  rules:
  - name: validate-resources
    match:
      resources:
        kinds:
        - apps/v1/Deployment
    validate:
      message: "{{request.object.kind}}/{{request.object.metadata.name}}: one of its containers is using the latest tag for its image, which is an anti-pattern."
      pattern:
        spec:
          template:
            spec:
              containers:
              - name: "*"
                image: "!*:latest"

apply the following deployment in cluster:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: Foo
  name: imageuseslatesttag
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: Foo
  template:
    metadata:
      labels:
        app.kubernetes.io/name: Foo
    spec:
      containers:
        - name: bar
          image: quay.io/redhat-cop/openshift-applier:latest

Now apply the policy on the deployment:

$ kyverno apply policy.yaml --cluster

Applying 1 policy to 5 resources... 
(Total number of result count may vary as the policy is mutated by Kyverno. To check the mutated policy please try with log level 5)

policy container-image-latest -> resource default/Deployment/imageuseslatesttag failed: 
1. validate-resources: validation error: Deployment/imageuseslatesttag: one of its containers is using the latest tag for its image, which is an anti-pattern. Rule validate-resources failed at path /spec/template/spec/containers/0/image/ 

pass: 4, fail: 1, warn: 0, error: 0, skip: 0 
exit status 1

Checklist

  • I have read the contributing guidelines.
  • [] I have added tests that prove my fix is effective or that my feature works.
  • [] My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

@NoSkillGirl
issue fixed
0054da8 
Signed-off-by: NoSkillGirl <singhpooja240393@gmail.com>
@NoSkillGirl NoSkillGirl merged commit 745838f into kyverno:main Sep 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vyankyGH vyankyGH vyankyGH approved these changes

@JimBugwadia JimBugwadia Awaiting requested review from JimBugwadia

@realshuting realshuting Awaiting requested review from realshuting

Assignees

@vyankyGH vyankyGH

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Support gvk in CLI for policies applied on cluster
2 participants
@NoSkillGirl @vyankyGH