Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix - policy gets blocked with 1.4.3-rc1 if any/all is defined in match block #2388

Merged
merged 1 commit into from
Sep 15, 2021
Merged

Fix - policy gets blocked with 1.4.3-rc1 if any/all is defined in match block #2388

merged 1 commit into from
Sep 15, 2021

Conversation

realshuting
Copy link
Member

@realshuting realshuting commented Sep 14, 2021
edited

Related issue

Fixes #2392.

Also relates to #2337.

Milestone of this PR

/milestone 1.4.3

What type of PR is this

/kind bug

Proposed Changes

PR #2261 converts GVK to its valid format during policy mutation, while any/all is not handled properly.

This PR covers any/all conversion in both match and exclude, to name them: match.any.resources.kinds, match.all.resources.kinds, exclude.any.resources.kinds, exclude.all.resources.kinds.

Proof Manifests

The following policies creation passes:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
spec:
  rules:
    - name: test
      match:
        all:
        - resources:
            kinds:
            - configmap
      exclude:
        all:
        - resources:
            kinds:
            - configmap
      validate:
        message: "Metadata label 'name' is required."
        pattern:
          metadata:
            labels:
              name: "?*"
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: test
spec:
  rules:
    - name: test
      match:
        any:
        - resources:
            kinds:
            - configmap
      exclude:
        any:
        - resources:
            kinds:
            - Pod
      validate:
        message: "Metadata label 'name' is required."
        pattern:
          metadata:
            labels:
              name: "?*"

Checklist

  • I have read the contributing guidelines.
  • I have added tests that prove my fix is effective or that my feature works.
  • [] My PR contains new or altered behavior to Kyverno and
    • [] I have added or changed the documentation myself in an existing PR and the link is:
    • [] I have raised an issue in kyverno/website to track the doc update and the link is:
    • [] I have read the PR documentation guide and followed the process including adding proof manifests to this PR.

Further Comments

@realshuting
- fix any/all during policy mutation; - add unit tests
c46db01 
Signed-off-by: Shuting Zhao <shutting06@gmail.com>
@realshuting realshuting merged commit efdb788 into kyverno:main Sep 15, 2021
@MarcelMue MarcelMue mentioned this pull request Sep 16, 2021
Closed
@realshuting realshuting deleted the policymutattion_any_all branch April 25, 2022 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vyankyGH vyankyGH vyankyGH approved these changes

Assignees

@vyankyGH vyankyGH

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Policy gets blocked if any/all is defined in match block
2 participants
@realshuting @vyankyGH