Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fix background scan issue for any/all in match/exclude #2381

Merged
merged 2 commits into from
Sep 13, 2021
Merged

Bug fix background scan issue for any/all in match/exclude #2381

merged 2 commits into from
Sep 13, 2021

Conversation

vyankyGH
Copy link
Contributor

@vyankyGH vyankyGH commented Sep 13, 2021
edited

Signed-off-by: Vyankatesh vyankateshkd@gmail.com

Related issue

closes #2299

Milestone of this PR

/milestone 1.4.3

What type of PR is this

fix issue of any / all functionality with to match / exclude block

Proposed Changes

Proof Manifests

Apply these resources:

apiVersion: v1
kind: Namespace
metadata:
  name: test
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: test
  namespace: test
data:
  foo: bar

Apply policy with any

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
spec:
  background: true
  validationFailureAction: audit # even with enforce
  rules:
    - name: test
      match:
        any:
          - resources:
              kinds:
                - ConfigMap
      validate:
        message: "Metadata label 'name' is required."
        pattern:
          metadata:
            labels:
              name: "?*"

Result
kubectl get  polr -n test
NAME           PASS   FAIL   WARN   ERROR   SKIP   AGE
polr-ns-test   0      2      0      0       0      7m

Checklist

  • I have read the contributing guidelines.
  • I have added tests that prove my fix is effective or that my feature works.
  • My PR contains new or altered behavior to Kyverno and
    • I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@vyankyGH vyankyGH added the wip work in progress label Sep 13, 2021
@vyankyGH vyankyGH changed the title BUg fix background scan issue for any/all in match/exclude Bug fix background scan issue for any/all in match/exclude Sep 13, 2021
@vyankyGH vyankyGH removed the wip work in progress label Sep 13, 2021
@realshuting realshuting self-assigned this Sep 13, 2021
@realshuting realshuting merged commit bfd651c into kyverno:main Sep 13, 2021
realshuting
realshuting reviewed Sep 14, 2021
View reviewed changes
pkg/policy/existing.go
Comment on lines +41 to +46
for _, value := range exclude.All {
pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
}
for _, value := range exclude.Any {
pc.processExistingKinds(value.ResourceDescription.Kinds, policy, rule, logger)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

processExistingKinds takes the matching kind to fetch the list of resources. Why do we pass exclude kinds list here?

We should update this logic to filter out resources excluded from any/all:

kyverno/pkg/policy/common.go

Line 223 in e6317da

excludeResources(resourceMap, rule.ExcludeResources.ResourceDescription, pc.configHandler, log)

Note that we need to exclude each entry individually in any, but all (merged) entries in all. For example:
The following rule excludes all Pods and all resources in namespace staging.

exclude:
  any:
  - resources:
      kinds:
      - Pod
  - resources:
      namespaces:
      - staging

While this rule excludes the Pod from the staging namespace only.

exclude:
  all:
  - resources:
      kinds:
      - Pod
  - resources:
      namespaces:
      - staging

@realshuting realshuting mentioned this pull request Sep 14, 2021
Closed
@vyankyGH vyankyGH deleted the background_scan_issue branch February 18, 2022 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@realshuting realshuting realshuting approved these changes

Assignees

@realshuting realshuting

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Background scan doesn't work
2 participants
@vyankyGH @realshuting